ebook img

The Agile Safety Case PDF

242 Pages·2018·4.965 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Agile Safety Case

Thor Myklebust Tor Stålhane The Agile Safety Case The Agile Safety Case Thor Myklebust (cid:129) Tor Sta˚lhane The Agile Safety Case ThorMyklebust TorSta˚lhane SoftwareEngineering,Safety NTNU andSecurity Trondheim,Norway SINTEFICT Trondheim,Norway ISBN978-3-319-70264-3 ISBN978-3-319-70265-0 (eBook) https://doi.org/10.1007/978-3-319-70265-0 LibraryofCongressControlNumber:2017960421 ©SpringerInternationalPublishingAG2018 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilarmethodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexempt fromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthis book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained hereinor for anyerrors oromissionsthat may havebeenmade. Thepublisher remainsneutralwith regardtojurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations. Printedonacid-freepaper ThisSpringerimprintispublishedbySpringerNature TheregisteredcompanyisSpringerInternationalPublishingAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Preface Safetycases—alsocalledassurancecaseorsafetydemonstration—haveforalong timebeenrequiredforsafety-criticalsystems.Safetycaseisanefficientmethodfor helping the developing company to focus on the simple but important question “Howdoyouknowthatyoursystemissafeenough?”Theideaofasafetycaseis not to provide a mathematical or statistical proof but to argue as one would in a courtoflaw—thusthenamesafetycase. A few international safety standards, like railway standard EN 5129, defence standardDefStan00-56andautomotivestandardISO26262,requireasafetycase tobedeveloped.Weexpectthatmostsafetystandardsinthefuturewillincludea safety case approach. Developing companieshave often left the important task of creating asafety case tothe end ofthe project. Thereasonfor thishas oftenbeen that“weneedtohavecompleteknowledgeofthesystembeforewewritethesafety case.”Thishasturnedouttobeacostlysolution.Itismuchmoreefficienttobuild the safety case during project development by inserting information when it becomesavailable—anagileapproachalsoresultinginincreasedsafetyawareness andunderstanding. In recent years, there has been an increased use of agile development methods for safety-critical software in order to continuously introduce new and improved functionality,shortenthetimetomarketandimprovethereturnofinvestments. The railway industry has had a renaissance the recent years and this seems to continue. Even small countries like Norway plan to invest more than two billion Euros in a signalling system over the next 10 years. In Europe, there is a plan to investmorethan30billionEurosinthenextfewyears,andChinahasevenhigher investmentgoals.Asaresult,manyengineershavetolearnhowtowrite,assessand interpretasafetycase.Weexpectamoreagileapproachastherehavebeenmany delaysinsignallingprojects. The main audience for this book are developers, assessors and purchasers of signalling systems in the railway and metro industry, but other industries like the defenceandautomotiveindustriesmayalsofindthebookuseful. v vi Preface Themainfeaturesofthisbookareasfollows: (cid:129) It is a reference book for “ordinary” safety cases according to the railway and metrostandardEN50129(IEC62425) (cid:129) ItisareferencebookforagilesafetycasescomplianttoEN50129 (cid:129) Itimprovescommunicationsbetweenstakeholders (cid:129) Itstrengthenscommunicationinallphasesofaproject (cid:129) Ithelpstoeasilynavigatethestatusofthesafetycase (cid:129) Itprovidesimprovedcommunicationontheprogressoftheproject (cid:129) Itallowstosavetimeonthedevelopmentofthesafetycase (cid:129) Itrequireslessdocumentation (cid:129) Ithelpsmanagechangesduringdevelopmentandafterthefirstrelease (cid:129) Itrequireslesstimefromwhenthelastcodewaswrittentothefinalisationofthe safetycase (cid:129) Itprovidesimprovedcontractbasisbetweentheinfrastructuremanager/railway undertakingandthesupplier (cid:129) Itprovidesimprovedinterpretationofthesuppliedsafetycases (cid:129) It provides relevant information for the infrastructure manager/railway under- takingthatarenormallynotincludedinasafetycase (cid:129) Itprovidesimprovedunderstandingoftherelationshipbetweenasafetycaseand ERTMSandCBTC (cid:129) It provides improved procedure for updates of the software due to security threats Trondheim,Norway ThorMyklebust October2017 TorSta˚lhane Acknowledgements First, we would like to thank those who have provided the funds for this project: SporveienOsloAS(theOsloMetro),theNorwegianNationalRailAdministration, theRailwayDirectorateandBaneNOR,andtheSwedishTransportAgency. TheauthorsthankCENELECforpermissiontoreproducefiguresandtables,the EuropeanUnionAgencyforRailwaysforpermissiontoreproducefiguresandBane NORforrelevantpictures. Special thanks to Professor Tim Kelly who has written on GSN in relation to safetycasesinChap.5. Thefollowingexpertshavereviewedpartsofthebook: (cid:129) Terje Sivertsen, a railway expert who reviewed the first manuscript and gave valuablefeedback (cid:129) RobertBainsandNarveLyngby,seniorsafetyassessorswhoreviewedthemain safetypartsofthebookandwhosecommentshelpedimprovethebook (cid:129) GeirK.Hanssen,anagileexpert,whoreviewedouragileapproach,whichwas importanttoensurethatthebookistrulyagilewithoutcompromisingonsafety Thankstoallofyou! Most of the references in this book have been studied and read during travels from Trondheim to different places around the world. Thanks to SAS for making the task of reading safety standards and papers on board their flights such an enjoyableexperience(andsometimesanexercise). Last but not least, we are grateful for the layout and editorial comments from Springerandfortheireffectiveandprofessionalwork. vii Contents 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 SignallingSystems,ERTMSandCBTC. . . . . . . . . . . . . 2 1.1.2 EN50129:2003. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.1.3 OtherSafetySystemsthanRailwaySignalling Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.1.4 StructureofThisBook. . . . . . . . . . . . . . . . . . . . . . . . . . 17 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2 AgileDevelopment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1.2 Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.1.3 TheSafeScrumProcess. . . . . . . . . . . . . . . . . . . . . . . . . 24 2.1.4 TheNeedforDocumentation. . . . . . . . . . . . . . . . . . . . . 25 2.1.5 AgilePractices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.1.6 ReuseofInformationandDocuments andTemplates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.1.7 ImportantConsiderationsWhenApplyingOther ModelsthanWaterfall/V-ModelWhenDeveloping SignallingSystems. . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3 Roles,AssessmentandAuthorisation. . . . . . . . . . . . . . . . . . . . . . . 47 3.1 RailwayRoles,AssessmentandAuthorisation. . . . . . . . . . . . . . 47 3.1.1 Railway,SafetyandAgileRoles. . . . . . . . . . . . . . . . . . 47 3.1.2 AssessmentandAuthorisation. . . . . . . . . . . . . . . . . . . . 57 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 ix x Contents 4 TheAgileSafetyPlanforSignallingSystems. . . . . . . . . . . . . . . . . 67 4.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.1 SafetyandAgility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.2 TheSafetyLifeCycle. . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.1.3 High-LevelSafetyPlan,ReleasePlan andDocumentFlow. .. . . . .. . . . .. . . . .. . . . .. . . . .. 70 4.1.4 ReuseOpportunitiesandTemplates. . . . . . . . . . . . . . . . 73 4.1.5 Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.1.6 TheAgileSafetyPlan. . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.1.7 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5 SafetyCasePatterns,NotationsandGSN. . . . . . . . . . . . . . . . . . . . 87 5.1 SafetyCasePatternsandNotations. . . . . . . . . . . . . . . . . . . . . . 87 5.1.1 TheContentsofaSafetyCase. . . . . . . . . . . . . . . . . . . . 87 5.1.2 NormalProseSafetyCase. . . . . . . . . . . . . . . . . . . . . . . 88 5.1.3 StructuredTextualPattern. . . . . . . . . . . . . . . . . . . . . . . 89 5.1.4 WritingaSafetyCase. . . . . . . . . . . . . . . . . . . . . . . . . . 90 5.1.5 SafetyCaseDiagrams. . . . . . . . . . . . . . . . . . . . . . . . . . 91 5.1.6 HowGSNSupportsIncrementalSafety CaseDevelopment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 5.1.7 GSNSupportforAgileDevelopment. . . . . . . . . . . . . . . 97 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 6 TheSafetyCase:IntroductionandDefinitionoftheSystem. . . . . . 101 6.1 GeneralIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 6.2 IntroductionPartoftheSafetyCase. . . . . . . . . . . . . . . . . . . . . 106 6.2.1 ChangeHistoryoftheSafetyCase. . . . . . . . . . . . . . . . . 106 6.2.2 DefinitionofSystem. . . . . . . . . . . . . . . . . . . . . . . . . . . 107 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 7 SafetyCase:QualityManagementReport. . . . . . . . . . . . . . . . . . . 111 7.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 7.2 OrganisationalStructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 7.3 QualityPlanningandProcedures. . . . . . . . . . . . . . . . . . . . . . . 114 7.4 SpecificationofRequirements. . . . . . . . . . . . . . . . . . . . . . . . . 115 7.5 DesignControl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 7.6 DesignVerificationandReviews. . . . . . . . . . . . . . . . . . . . . . . 119 7.7 ApplicationEngineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 7.8 ProcurementandManufacture. . . . . . . . . . . . . . . . . . . . . . . . . 121 7.9 ProductIdentificationandTraceability. . . . . . . . . . . . . . . . . . . 122 7.10 HandlingandStorage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 7.11 InspectionandTesting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 7.12 Non-conformanceandCorrectiveAction. . . . . . . . . . . . . . . . . 126 7.13 PackagingandDelivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 7.14 InstallationandCommissioning. . . . . . . . . . . . . . . . . . . . . . . . 127 7.15 OperationandMaintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Contents xi 7.16 QualityMonitoringandFeedback. . . . . . . . . . . . . . . . . . . . . . 128 7.17 DocumentationandRecords. . . . . . . . . . . . . . . . . . . . . . . . . . 129 7.18 ConfigurationManagement/ChangeControl. . . . . . . . . . . . . . . 130 7.19 PersonnelCompetencyandTraining. . . . . . . . . . . . . . . . . . . . 131 7.20 QualityAuditsandFollow-Up. . . . . . . . . . . . . . . . . . . . . . . . . 132 7.21 DecommissioningandDisposal. . . . . . . . . . . . . . . . . . . . . . . . 133 7.22 QMRSummaryandConclusion. . . . . . . . . . . . . . . . . . . . . . . 133 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 8 SafetyManagementReport(SMR). . . . . . . . . . . . . . . . . . . . . . . . . 137 8.1 SafetyManagementReport. . . . . . . . . . . . . . . . . . . . . . . . . . . 137 8.2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 8.3 SafetyLifeCycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 8.4 SafetyOrganisation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 8.5 SafetyPlan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 8.6 HazardLog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 8.7 SafetyRequirementSpecification. . . . . . . . . . . . . . . . . . . . . . 147 8.8 System/Subsystem/EquipmentDesign. . . . . . . . . . . . . . . . . . . 150 8.9 SafetyReviews. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 8.10 SafetyVerificationandValidation. . . . . . . . . . . . . . . . . . . . . . 154 8.11 SafetyJustification(theSafetyCase). . . . . . . . . . . . . . . . . . . . 159 8.12 System/Subsystem/EquipmentHandover. . . . . . . . . . . . . . . . . 159 8.13 OperationandMaintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . 160 8.14 DecommissioningandDisposal. . . . . . . . . . . . . . . . . . . . . . . . 162 8.15 SummaryandConclusionfortheSMRPart. . . . . . . . . . . . . . . 163 ReferencesandFurtherReading. . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 9 TechnicalSafetyReport(TSR). . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 9.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 9.2 AssuranceofCorrectFunctionalOperation. . . . . . . . . . . . . . . . 167 9.2.1 SystemArchitectureDescription. . . . . . . . . . . . . . . . . . 168 9.2.2 DefinitionofInterfaces. . . . . . . . . . . . . . . . . . . . . . . . . 173 9.2.3 FulfilmentofSystemRequirementSpecification. . . . . . . 174 9.2.4 FulfilmentofSafetyRequirementsSpecification. . . . . . . 175 9.2.5 AssuranceofCorrectHardwareFunctionality. . . . . . . . . 176 9.2.6 AssuranceofCorrectSoftwareFunctionality. . . . . . . . . . 178 9.3 EffectsofFaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 9.3.1 EffectsofSingleFaults. . . . . . . . . . . . . . . . . . . . . . . . . 180 9.3.2 IndependenceofItems. . . . . . . . . . . . . . . . . . . . . . . . . . 182 9.3.3 DetectionofSingleFaults. . . . . . . . . . . . . . . . . . . . . . . 183 9.3.4 ActionFollowingDetection(IncludingRetention ofSafeState). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 9.3.5 EffectsofMultipleFaults. .. . . . . . . . . .. . . . . . . . . . .. 185 9.3.6 DefenceAgainstSystematicFaults. . . . . . . . . . . . . . . . . 186 9.4 OperationwithExternalInfluences. . . . . . . . . . . . . . . . . . . . . . 188

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.