System Hazard Analysis
System hazard analysis (SHA) build on preliminary hazard analysis (PHA) as a foundation. It expands upon the work done in PHA. SHA considers the system as a whole and identifies how
could contribute to system hazards. The SHA refines the high-level design constraints generated during PHA. Conformance of the system design to the design constraints is also validated through system hazard analysis. Through SHA, safety design constraints are traced to individual components based on the functional decomposition and allocation.
Hazard causal analysis is used to refine the high-level safety constraints into more detailed constraints. This process requires a model of the system, even if that model is just in the head of the analyst. Causal analysis almost always involves some type of search through the system design (model) for states or conditions that could lead to system hazards. Search can be top-down or bottom-up and either forward or backward. The graph below depicts the difference between forward and backward search.
Forward search starts with an event, identifying the consequences of that event. Each of those consequences becomes another event, and the search proceeds finding the consequences of each of those events. If the initiating event leads to a hazardous state, then a hazard has been detected. Backward search works the other way. A hazardous state is postulated as existing. The search works backward from the postulated state to try to find any valid state. If one is found, then it could lead forward to the hazardous state.
Fault tree analysis is sometimes used to refine hazards to their causes. When software is involved, qualitative fault trees may have some use, but not quantitative ones. Qualitative fault trees depend on the probability of a component failure. With software, there is no way to derive this number. What is the probability that an if statement fails? What does it mean for a branch structure to fail? More realistically, what is the probability of a design error in software? This is not a question with a good answer yet. 10-9 gets thrown around a lot as a figure for software, but no one has offered good evidence explaining on what basis that number was used.
System fault trees are helpful in identifying potentially hazardous software behavior. Fault tree analysis can be used to refine system design constraints. FTAs (fault tree analyses) can also be used to verify code. The software FTA identifies any paths from inputs to hazardous outputs or provides some assurance that they don't exist. In this case, one is not looking for failures but incorrect paths (functions).
Once system hazard analysis has refined the preliminary hazard analysis, subsystem (including software) hazard analysis can take place.
Copyright © 2003 Safeware Engineering Corporation. All rights reserved