System safety as an emergent property in composite systems

Jennifer Black, Philip Koopman
2009 2009 IEEE/IFIP International Conference on Dependable Systems & Networks  
Correctly specifying requirements for composite systems is essential to system safety. In a distributed development environment, safety requirements must be clearly defined for subsystems. Unfortunately, decomposing non-functional requirements, also known as goals, is not always straightforward. Quantifiable goals, such as cost or performance, may be decomposed by allocating a fixed limit on each component. However, system safety is usually not expressible as a sum of parts. Rather, it is
more » ... ered to be emergent. This thesis defines emergent and composable behaviors in the context of formally specified goals, and identifies useful special cases in which emergent system goals may be partially composable. Indirect Control Path Analysis (ICPA) is introduced as a new technique for identifying and documenting safety goals for components, using control flow and goal coverage strategies to guide goal elaboration. ICPA was applied to a semi-autonomous automotive system from a commercial automotive research laboratory and the goals and subgoals were monitored at run-time in a partial implementation of the vehicle in a simulation environment. Violations of both the goals and subgoals identified several critical design defects in the incomplete implementation. In some situations, false positive detection at the subsystem level identified problems in the subsystems that were masked by redundant goal coverage. False negative detection at the subsystem level in some of the scenarios suggests the set of subsystem safety goals only partially composes the system-level behavior. The results demonstrate proof of concept of the ICPA technique for defining system safety subgoals in a real system. i
doi:10.1109/dsn.2009.5270316 dblp:conf/dsn/BlackK09 fatcat:nexkwutkzvgjfdcbck3wdqwsmy