A safety case should present a clear, comprehensive and defensible argument that a system is acceptably safe to operate within a particular context. However, many existing safety cases, in their attempt to manage potentially complex arguments, are poorly structured, presented and understood. This creates problems in developing and maintaining safety cases, and in capturing successful safety arguments for use on future projects. This thesis defines and demonstrates a coherent approach to the development, presentation, maintenance and reuse of the safety arguments within a safety case. This approach is based upon a graphical technique -- the Goal Structuring Notation (GSN) -- and has three strands. Firstly, a method for the use of GSN is defined together with an approach to supporting incremental safety case development. Secondly, the thesis presents a systematic process for the maintenance of a GSN-structured safety argument. Thirdly, the concept of `Safety Case Patterns' is defined as a means of supporting and promoting the reuse of successful safety arguments between safety cases. Examples of the approach are provided throughout. Evaluation of the approach is described through tool implementation, case studies, pilot projects and industrial project applications. Through these activities the approach has been shown to be both a valid and capable tool for safety case management.

Abstract—Bounded exhaustive testing (BET) is a verification technique in which software is automatically tested for all valid inputs up to specified size bounds. A particularly interesting case of BET arises in the context of systems that take structurally complex inputs. Early research suggests that the BET approach can reveal faults in small systems with inputs of low structural complexity, but its potential utility for larger systems with more complex input structures remains unclear. We set out to test its utility on one such system. We used Alloy and TestEra to generate inputs to test the Galileo dynamic fault tree analysis tool, for which we already had both a formal specification of the input space and a test oracle. An initial attempt to generate inputs using a straightforward translation of our specification to Alloy did not work well. The generator failed to generate inputs to meaningful bounds. We developed an approach in which we factored the specification, used TestEra to generate abstract inputs based on one factor, and passed the results through a postprocessor that reincorporated information from the second factor. Using this technique, we were able to generate test inputs to meaningful bounds, and the inputs revealed nontrivial faults in the Galileo implementation, our specification, and our oracle. Our results suggest that BET, combined with specification abstraction and factoring techniques, could become a valuable addition to our verification toolkit and that further investigation is warranted. Index Terms—Formal methods, program verification, testing and debugging. 1

In train control systems, more and more (electro-)mechanical devices are substituted by software based devices. To sustain the high level safety standards for these embedded systems, we propose the integration of fault tree analysis and formal methods. This combines two important safety analysis methods from the involved domains of engineering and software development. Our approach proposes to build a formal model of the system together with fault trees, which investigate the safety critical aspects by breaking them down to software and hardware requirements. The events of fault trees are formalized with respect to the model. Formal completeness and correctness conditions are given, using Interval Temporal Logic with continuous semantics. They define a formal semantics of fault trees, which allows cause-consequence relations between events in addition to boolean decomposition. The semantics is therefore suitable for dynamic systems. We will prove, that the conditions guarantee, that the fault tree is a correct and complete analysis of the causes of the considered fault.

Safety critical systems are becoming more complex, both in the type of functionality they provide and in the way they are demanded to interact with their environment. Such growing complexity requires an adequate increase in the capability of safety engineers to assess system safety, including analyzing the bahaviour of a system in degraded situations. Formal verification

Abstract. In verifying a safety-critical system, one usually begins by building a model of the basic system and of its safety mechanisms. If the basic system model does not reflect reality, the verification results are misleading. We show how a model of a system can be compared with the system’s fault trees to help validate the failure behaviour of the model. To do this, the meaning of fault trees are formalised in temporal logic and a consistency relation between models and fault trees is defined. An important practical feature of the technique is that it allows models and fault trees to be compared even if some events in the fault tree are not found in the system model. 1

Abstract. The complexity of embedded controllers is steadily increasing. This trend, stimulated by the continuous improvement of the computational power of hardware, demands for a corresponding increase in the capability of design and safety engineers to maintain adequate safety levels. The use of formal methods during system design has proved to be effective in several practical applications. However, the development of certain classes of applications, like, for instance, avionics systems, also requires the behaviour of a system to be analysed under certain degraded situations (e.g., when some components are not working as expected). The integration of system design activities with safety assessment and the use of formal methods, although not new, are still at an early stage. These goals are addressed by the ESACS project, a European-Union-sponsored project grouping several industrial companies from the aeronautic field. The ESACS project is developing a methodology and a platform the ESACS platform that helps safety engineers automating certain phases of their work. This paper reports on the application of the ESACS methodology and on the use of the ESACS platform to a case study, namely, the Secondary Power System of the Eurofighter Typhoon aircraft.

We present an approach to effiently generating an inspection strategy for fault diagnosis. We extend the traditional troubleshooting framework to model nonperfect repair actions, and we include questions. Questions are troubleshooting steps that do not aim at repairing the device, but merely are performed to capture information about the failed equipment, and thereby ease the identification and repair of the fault. We show how Vesely and Fussell's measure of component importance extends to this situation, and focus on its applicability to compare troubleshooting steps. We give an approximate algorithm for generating a "good" troubleshooting strategy in cases where the assumptions underlying Vesely and Fussell's component importance are violated, and discuss how to incorporate questions into this troubleshooting strategy. Finally, we utilize certain properties of the domain to propose a fast calculation scheme.

Computational modeling tools are critical to engineering. In the absence of a sufficiently complete, mathematically precise, abstract specification of the semantics of the modeling framework supported by such a tool, rigorous validation of the framework and of models built using it is impossible; there is no sound basis for program implementation, verification or documentation; the scientific foundation of the framework remains weak; and significant conceptual errors in framework definition and implementation are likely. Yet such specifications are rarely defined. We present an approach based on the use of formal specification and denotational semantics techniques from software engineering and programming language design. To illustrate the approach, we present elements of a formal semantics for a dynamic fault tree framework that promises to aid reliability analysis. No such specification of the meaning of dynamic fault trees has been defined previously. The approach revealed important...

Programs fail mainly for two reasons: logic errors in the code, and exception failures. Exception failures can account for up to 2/3 of system crashes [6], hence are worthy of serious attention. Traditional approaches to reducing exception failures, such as code reviews, walkthroughs and formal testing, while very useful, are limited in their ability to address a core problem: the programmer's inadequate coverage of exceptional conditions. The problem of coverage might be rooted in cognitive factors that impede the mental generation (or recollection) of exception cases that would pertain in a particular situation, resulting in insufficient software robustness. This paper describes a study to test the hypothesis that robustness for exception failures can be improved through the use of dependability cases. Dependability cases, derived from safety cases, comprise a methodology based on structured taxonomies and memory aids for helping software designers think about and improve exception-h...

Developing high quality software tools for specialized domains is difficult. One problem is the cost of developing feature-rich and usable tool interfaces. Another problem is the task of providing a sound basis for trustworthiness of the tool and the overall method which it supports. In this dissertation we present and evaluate an approach which addresses these key difficulties. The approach is based on two concepts: using specialized and tightly integrated mass-market applications to provide the bulk of the tool’s functionality, and the use of formal methods for the precise specification of the tool’s domain-dependent modeling language. We have evaluated our component-based work in part by developing a tool using the technique, deploying it to NASA, and having engineers from across the organization use and evaluate it. In the area of formal methods, we have developed and validated, both informally and formally, a mathematically precise specification of the language em-ployed by an innovative modeling and analysis method for the reliability of fault tolerant systems. We have also developed a prototype tool that shows in concrete terms that our combined approach can work. The chief contribution of this work is a new approach to developing software tools having formal foundations for trustworthiness and sophisticated user interfaces. Constituent contributions