Dependability and Security Specification

Question 1

Name the three key types of requirements in relation to Dependability?

Answer 1

Functional Requirements
- define error checking and recovery facilities and protection against system failures and external attacks.

Non-Functional Requirements
- defining the required reliability and availability of the system.

Excluding Requirements
- defining states and conditions that must not arise.

Question 2

What is meant by Risk-Driven Specification

Answer 2

A process that involves understanding the risks (safety, security, etc) faced by the system and to define requirements that reduce these risks.

Critical systems’ specifications should be risk-driven as risks pose a threat to the system.

Note: This approach has been widely used in safety and security-critical systems

Question 3

Name three different types of (phased) risk analysis

Answer 3

Preliminary Risk Analysis
- Risks from the systems environment. Aim is to develop an initial set of system security and dependability requirements.

Life Cycle Risk Analysis
- Risks that emerge during design and development and are associated with the technologies used for system construction. Requirements are extended to protect against these risks.

Operational Risk Analysis
- Risks associated with the system user interface and operator errors. Further protection requirements may be added to cope with these.

Question 4

Name each part of a risk-driven specification

Answer 4

Risk Identification
- Identify potential risks that may arise.

Risk Analysis
- Assess the seriousness of each risk.

Risk Decomposition
- Decompose risks to discover their potential root causes.

Risk Reduction
- Define how each risk can be eliminated or reduced in design.

Question 5

What is meant by Safety Specification?

Answer 5

Meaning: Identify protection requirements that ensure that system failures do not cause injury or death or environmental damage.

• Risk identification = Hazard identification
• Risk analysis = Hazard assessment
• Risk decomposition = Hazard analysis
• Risk reduction = Safety requirement specification

Question 6

What is Hazard Identification?

Answer 6

Meaning: Identify the hazards that may threaten the system.

• Hazard identification may be based on different types of hazard:
• Physical hazards
• Electrical hazards
• Biological hazards
• Service failure hazards, etc.

Question 7

What is Hazard Assessment?

Answer 7

Meaning: Assessing the likelihood that a risk will arise and what are the potential
consequences if an accident should occur?

• Risks are categorised as (Risk Triangle):
  
  • Intolerable - Must never arise or
    result in an accident
  • As low as reasonably practical
    (ALARP) - Must minimise the
    possibility of
    risk given cost and schedule
    constraints
  • Acceptable - The consequences of
    the risk are acceptable and no extra
    costs should be incurred to reduce
    hazard probability

Question 8

Describe the Risk Triangle

Answer 8

Three Regions:
- Unacceptable region (Risk cannot be tolerated)
- Risk tolerated only if risk reduction is impractical or excessively expensive
- Acceptable region
- Negligible Risk (Minimal Damage)

Question 9

What is the general ‘social acceptance’ of safety-related risks?

Answer 9

• In most societies, the boundaries between the regions are pushed upwards with time i.e. society is less willing to accept risk.
• For example, the costs of cleaning up pollution may be less than the costs of preventing it but this may not be socially acceptable.
• Risk assessment is subjective
• Risks are identified as probable, unlikely, etc. This depends on who is making the assessment.

Question 10

What is meant by Hazard Assessment?

(alternative defintion)

Answer 10

Meaning: Estimating the hazard probability and the hazard severity.

• It is not normally possible to do this precisely so relative values are used
  (probable, unlikely, low, medium, high, rare)
• The aim is to make sure that the system can handle hazards that are likely to arise or that have high severity.

Question 11

What is meant by Hazard Analysis?

Answer 11

Meaning: Concerned with discovering the root causes of risks in a particular system.

• Techniques have been mostly derived from safety-critical systems and can be:
  
  • Inductive, bottom-up techniques.
    Start with a proposed system
    failure and assess the hazards that
    could arise from that failure;
  • Deductive, top-down techniques.
    Start with a hazard and deduce
    what the causes of this could be.

Question 12

How does Fault-Tree Analysis Work?

Answer 12

1. Put the risk or hazard at the root of the tree and identify the system states that could lead to that hazard.
2. Identify first-level, second-level, n-level contributors to the top-level event.
3. Where appropriate, link these with ‘and’ or ‘or’ conditions.
4. The key goal should be to minimise the number of single causes of system failure. (No single point of failure).

Question 13

What is Risk Reduction?
Name three different Risk Reduction Strategies?

Answer 13

Meaning: to identify dependability requirements that specify how the risks should be managed and ensure that accidents/incidents do not arise.

Risk Reduction Strategies:
* Risk avoidance;
* Risk detection and removal;
* Damage limitation.

Question 14

How are the risk reduction strategies used?

Answer 14

• Normally, in critical systems, a mix of risk reduction strategies are used.
• In a chemical plant control system, the system will include sensors to detect and correct excess pressure in the reactor.
• However, it will also include an independent protection system that opens a relief valve if dangerously high pressure is detected.

Question 15

Summary of Topic so far (Dependability and Security Specification)

Answer 15

• Risk analysis is an important activity in the specification of security and dependability requirements. It involves identifying risks that can result in accidents or incidents.
• A hazard-driven approach may be used to understand the system’s safety requirements. You identify potential hazards and decompose these (using methods such as fault tree analysis) to discover their root causes.
• Safety requirements should be included to ensure that hazards and
  accidents do not arise or, if this is impossible, to limit the damage caused by system failure.

Question 16

What is meant by a Safety case?

Answer 16

Meaning: Documented body of evidence that provides proof that a system is adequately safe for a given application in a given environment.

Note: It is fundamental that the safety case demonstrates how risks are reduced to levels that are As Low As Reasonably Practicable (ALARP).

Note: Different organisations (Regulators) have different guidelines on documenting and assessing safety cases.

Note: For instance, the Office for Nuclear Regulation (ONR) is the independent regulator of nuclear safety and security across the UK. (www.onr.org.uk).

Question 17

Note about Safety-Critical Systems

Answer 17

• Safety-critical systems have humans-in-the-loop, and rely on them.
• Industries such as nuclear, chemical, oil have humans monitoring operation and process control
• Humans are experts but sometimes misjudge situations or take bad decisions
• Fault diagnosis, risk management decision making, etc. all help to support safety decisions
• A Safety Decision Support Systems may be used to support an operator to more accurately assess the system’s state along with any associated risk and uncertainty.
• Requires its own safety-assurance
  obligations.

Question 18

More Notes
Driving and Automated Driving (AD)/AV

Answer 18

• Driving a car contains a human-in-the-loop
• Driving can be difficult: dense city traffic, complex road layouts, road works, unknown areas, hard-to-predict traffic co-participants (pedestrians and other drivers of different kinds of vehicles), too much traffic, car defects, and so on
  • Add safety mechanisms in cars to:
  • Reduce operational risk
  • Make the role of the driver less
    critical

Question 19

What are the levels of automation for AD & level of safety for each?

Answer 19

AD assistance (ADAS, L1-2) Advanced Driver Assistance Systems
* Highly automated (HAD, L3-4)
* Fully automated or autonomous (FAD, L5)
* With HAD systems (L4), a human driver is supposed to be in the loop, and take over occasionally

Level Zero – No Automation - the driver performs all operating tasks like steering, braking, accelerating or slowing down, etc.

Level One – Driver Assistance - the vehicle can assist with some functions, but the driver still handles all accelerating, braking, and monitoring of the surrounding environment. E.g., the car may brake a little extra when you get too close to another car on the motorway.

Level Two – Partial Automation - Most manufacturers are currently developing vehicles at this level, where the vehicle can assist with steering or acceleration functions and allow the driver to disengage from some of their tasks. The driver
must always be ready to take control of the vehicle and it still responsible for most safety-critical functions and all monitoring of the environment.

Level Three - Conditional Automation - the vehicle itself controls all monitoring of the environment (using sensors like LiDAR).

Note: The driver’s attention is still critical at this level, but can disengage from “safety critical” functions like braking and leave it to the technology when conditions are safe. Many current Level 3 vehicles require no human attention to the road at speeds under 37 miles per hour.

Level Four – High Automation - the vehicle is capable of steering, braking, accelerating, monitoring the vehicle and roadway as well as responding to events, determining when to change lanes, turn, and use signals.

Note: The ADS notifies the driver when conditions are safe, and only then does the driver switch the vehicle into this mode. It cannot deal with more dynamic driving situations like traffic jams, etc.

Level Five – Complete Automation - This level of autonomous driving requires absolutely no human attention. There is no need for pedals, brakes, or a steering
wheel, as the autonomous vehicle system controls all critical tasks, monitoring of the environment and identification of unique driving conditions like traffic jams.