A Framework for the Requirements Analysis of Safety-Critical Computing Systems Amer Saeed Ph.D Thesis The University of Newcastle upon Tyne Computing Laboratory September 1990 N~ STEE UNIVERSIT Abstract Abstract Digital computers are increasingly being used in safety-critical applications (e.g., avionics, chemical plant and railway systems). The main motivations for introducing computers into such environments are to increase performance, flexibility and efficiency. However, the cost to safety in achieving these benefits using computing systems is unclear. The general class of systems considered in this thesis are process control systems. More specifically the thesis examines the class of safety-critical computing systems which are a component of a process control system that could cause or allow the overall system to enter into a hazardous state. This thesis investigates the role oiformal methods in safety-critical computing systems. The phase of system development considered is requirements analysis. Experience in safety-critical systems has shown that errors in the identified requirements are one of the major causes of mishap. It is argued that to gain a complete understanding of such computing systems, the requirements of the overall system and the properties of the environment must be analyzed in a common formal framework. A system development model based on the separation of safety and mission issues is discussed, which highlights the essential specifications that must be produced during requirements analysis. A formal model for the representation of these essential specifications is presented. The semantics of this formal model are based on the notion of a system history. To structure the specifications expressed by this formal model the concept of a mode is introduced. This thesis suggests that for a formal model to be useful during requirements analysis a related systematic methodology, which provides comprehensive guidelines for the analysts who use the model must be made available. An appropriate methodology, based upon the system development model, which incorporates some traditional system safety techniques is described. Overall, the thesis presents a framework for requirements analysis by providing a system development model, formal model and related development methodology. An example of how this framework can support requirements analysis is presented in the appendices Band C. Acknowledgements Acknowledgements Firstly, my thanks go to my supervisor, Professor Tom Anderson, who introduced me to the area of safety-critical systems, and in addition made many helpful comments upon the content of this thesis. I would also like to thank Professor Brian Randell and Dr Maciej Koutny for their help in the early years of my research. In particular I would like to thank Dr Maciej Koutny for his suggestions on the formal notation. Thanks must also go to my colleague Mr R de Lemos for our discussions on safety-critical systems. Many other members of the Computing Laboratory too numerous to mention individually have also made my tenure here more pleasant. Thanks to you all. Finally the support and patience of my parents throughout the years of this research deserves a special mention. Financial support for the work described in this thesis was provided by a grant from the UK Science and Engineering Research Council and an Alvey grant in software reliability (Alvey Software Reliability Project SE/072). II Table of Contents Table of Contents 1 Introduction . 1 1.1. Background 1 1.2. Safety 3 1.2.1. System Safety 5 1.2.2. Regulation and Legislation. 6 1.3. Process Control Systems 7 1.3.1. Operator 8 1.3.2. Physical Process 8 1.3.3. Controller 9 1.3.4. Controller Components 9 1.4. Safety in Computer Based Systems. 11 1.4.1. Reliability. 12 1.4.2. Safety 12 1.4.3. Safety-critical Computing Systems . 13 1.5. Obstacles to Computers in Safety-Critical Systems 13 1.5.1. Intrinsic Obstacles 14 1.5.2. Application Obstacles 17 1.6. System Lifecycle . 19 1.7. Aims.. .. .. .. .. .. ... .. .. 22 1.8. Overview...................................... 23 2 Requirements Analysis 25 2.1. Introduction 25 2.2. Role of Requirements Specification . 26 2.2.1. Requirements Specification Viewpoints...................... 28 2.3. Structured Requirements Analysis 30 2.3.1. Development Model....................... 30 2.3.1.1. Separation of Issues 30 2.3.1.2. Safety-Critical System Structure . 32 2.3.1.3. Requirements Phases '" . .. 37 2.3.2. Formal Model . 40 2.3.2.1.Advantages of Formal Models 40 2.3.3. Development Programme.. .. .. .. .. .. .. .. 46 m Table of Contents 2.3.3.1.DevelopmentMethodology.................................. 47 2.3.3.2.Requirements AnalysisTeam 48 2.4. Working Example 51 2.5. Summary....................................... 53 3 Basic Concepts .................................. 55 3.1. Time 55 3.1.1. Time Points 58 3.1.2. Time Intervals . 58 3.1.3. System Lifetime ···· 61 3.2. State Variables. 61 3.2.1. Variable Ranges ······· 63 3.3. Variable Categories . 65 3.4. SystemHistory. 68 3.4.1. History Function. 69 3.5. History Descriptions 70 3.5.1. Variable Class Relations. 71 3.5.2. Invariant Relations. 74 3.5.3. History Relations 77 3.5.4. Comparison of Relations 80 3.5.5. History Description Sets . 81 3.6. Clocks . 82 3.7. Real-time Satisfaction Conditions 83 3.7.1. System Predicates. 83 3.7.2. Point Satisfaction 84 3.7.3. Interval Satisfaction. 85 3.7.4. Events. 87 3.7.5. Time Bound Constraints................................... 90 3.7.6. 'Iermination Predicate....................... 91 3.8. Summary. 92 4 Mode Theory .................................... 94 4.1. Modes. 94 4.1.1. History Graphs 97 4.1.2. Mode Properties . 98 4.1.3. Mode Relationships 100 lV Table of Contents 4.1.4. Mode Categories 101 4.1.5. Mode Consistency. 103 4.1.6. Mode Limitations......................................... 106 4.1.7. Mode Benefits 107 4.2. Mode Sequences 108 4.2.1. Mode Sequence Properties. 109 4.2.2. Mode Sequence Relationships.............................. 111 4.2.3. Mode Sequence Consistency 111 4.2.4. Mode Sequence Example . 114 4.2.5. Mode Sequence Set . 115 4.2.6. Mode Sequence Limitations. 116 4.3. Mode Graphs . 118 4.3.1. Mode Graph Properties 121 4.3.2. Mode Graph Components 121 4.3.3. Complete Mode Graphs .. 123 4.3.4. Consistent Mode Graphs 124 4.3.5. Mode Graph Relationships. 126 4.3.6. Mode Graph Categories 127 4.3.7. Predicate Mode Graph.................................... 130 4.4. Summary. 131 5 Real World Specifications . 133 5.1. Disaster Set 133 5.2. Safety Real World Description. 134 5.3. Hazard Specification 135 5.4. Safety Real World Specification 138 5.5. Mission Real World Description. 139 5.6. Mission Real World Specification. 140 5.6.1. Mission Phase Specification. 141 5.7. Summary. 144 6 Controller Specifications. 146 6.1. Safety Environment Description 146 6.2. Safety Controller Specification . 148 6.2.1. Safety Controller Behaviour Structure 148 6.2.2. Start Up Phase 150 v Table of Contents 6.2.3. Monitor Phase 151 6.2.4. Recovery Phase 152 6.2.5. Reset Phase . 155 6.2.6. Shut Down Phase . 156 6.2.7. End Phase............................................... 156 6.3. Mission Environment Description 158 6.3.1. Relation Classes. 158 6.3.2. Monitor Relations 160 6.4. Mission Controller Specification 161 6.4.1. Mission Controller Behaviour Structure. 162 6.5. Summary and Conclusions 169 7 Real World Analysis 171 7.1. Introduction 171 7.2 Initial Real World Description Analysis 174 7.2.1. Production Guidelines. 174 7.3. Disaster Analysis 180 7.3.1 Disaster Identification 180 7.3.2. Validation Guidelines 181 7.4. Hazard Specification Analysis. 182 7.4.1 Hazard Identification 182 7.4.2. Validation Guidelines 184 7.4.3 Hazard Elimination........................................ 185 7.4.4. Complete Hazard Assumption. 185 7.5. Safety Real World Description Analysis. 186 7.5.1. Construction Guidelines. 186 7.5.2. Validation Guidelines 188 7.6. Safety Real World Specification Analysis. 189 7.7. Mission Real World Specification Analysis. 190 7.7.1. Mission Phase Specification Analysis. 190 7.7.2. Mission Real World Specification Analysis............. 195 7.8. Mission Real World Description Analysis 199 7.8.1. Construction Guidelines. 199 7.8.2. Mission Real World Specification Checks 201 7.8.3. Mission Validation........................................ 202 7.9. Combination of Analysis. 203 7.10. Summary. 203 VI Table of Contents 8 Controller Analysis ............................... 206 8.1. Introduction 206 8.2. Safety Environment Description Analysis 208 8.3. Safety Controller Specification Analysis 210 8.3.1. Safety Verification. .. 211 8.3.2 Safety Controller Specification Development Methodology. 215 8.3.3. Safety Controller Specification Methodology Theorems 226 8.4. Mission Environment Description Analysis . 229 8.5. Mission Controller Specification Analysis. 231 8.5.1 Mission Verification. 234 8.5.2. Mission Controller Development Strategy 245 8.5.3. Mission Controller Specification Theorems 249 8.6. Summary and Conclusions 251 9 Summary and Conclusions. 254 9.1. Thesis Summary. 254 9.2. Evaluation and Conclusions. 261 9.3. Future Work . 263 9.3.1. Extensions to the Framework 264 9.3.2. Investigation of Other Formalisms 266 References Appendix A AppendixB AppendixC vu List of Figures List of Figures Figure 1.1. Process Control System Components 8 Figure 1.2. Controller Components 9 Figure 1.3. Controller Interfaces. 11 Figure 1.4. Simplified System Life Cycle 19 Figure 2.1. Role of Requirements Specification . 28 Figure 2.2. Safety-Critical System Structure 32 Figure 2.3. Safety-Critical Controller Components. 34 Figure. 2.4. Safety-Critical Controller Interfaces 35 Figure 2.5. Requirement Analysis Phases. 37 Figure 2.6. Reaction Vessel 53 Figure 3.1. An Evolution . 68 Figure 3.2.