Adaptive systems—those that can change their behavior at runtime—pose new challenges for certification, and particularly for traditional, standards-based methods of certification such as DO-178B. These traditional methods are effective in conservative fields because they can establish a solid basis in experience and can incorporate the lessons learned from previous systems. They seem likely to prove less effective in fast-moving fields where innovation outstrips the pace at which experience can be incorporated into standards. Argument-based safety cases offer a plausible alternative basis for certification in these fast-moving fields. A safety case provides an explicit statement of safety claims, a body of evidence concerning the system, and an argument, based on the evidence, that the system satisfies its claims; standards-based methods, in contrast, specify only the evidence to be produced. A reasonable objection to safety cases is that many arguments—especially large, complex ones—can appear plausible, yet harbor flaws. There is a need for tools that can help analyze arguments. Some model-based design tools can do this, but generally operate at a far more detailed level of design than is appropriate for much of safety analysis. Some interactive theorem provers can do it, too, but they generally require notation and skills far removed from those found in aerospace and safety engineering. In this paper we argue that analysis tools based on recent advances in formal methods (SMT solvers, infinite bounded model checkers, and k-induction) can provide suitable modeling notations, effective analysis, and push button automation. We illustrate the approach with a simple example based on a self-checking pair. We further argue that monitors derived from a safety case provide a potentially certifiable means for entering an adaptive mode of behavior, and that monitors generated from a formally analyzed case can be “possibly perfect, ” which is a property that allows a novel kind of reliability analysis. I.

Abstract Suitable formalisms could allow the arguments of a safety case to be checked mechanically. We examine some of the issues in doing so. 1

For many safety-critical systems a safety case is built as part of the certification or acceptance process. The safety case assembles evidence to justify that the design and implementation of a system avoid hazardous software behavior. Fault modeling and analysis can provide a rich source of evidence that the design meets safety goals. However, there is currently little guidance available to bridge the gap between the fault modeling that developers perform and the mandated safety case. In this experience report we describe results and open issues from an investigation of how evidence from software toolsupported fault modeling and analysis of a spacecraft power system could assist in safety-case construction. The ways in which the software fault models can provide evidence for the safety case appears to be applicable to other critical systems. 1.

Justified confidence in system and SoS behavior requires software assurance theories and principles that don’t exist today. Using such theories and principles, organizations would have a better basis for confidence in deployed system behavior, and at the same time, these theories and principles could be used to make the assurance process more efficient and effective. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification – reliability, validation. F.3.1 [Theory of Computation]: Logics

A dependability case is an explicit, end-to-end argument, based on concrete evidence, that a system satisfies a critical property. We report on a case study constructing a dependability case for the control software of a medical device. The key novelty of our approach is a lightweight code analysis that generates a list of side conditions that correspond to assumptions to be discharged about the code and the environment in which it executes. This represents an unconventional trade-off between, at one extreme, more ambitious analyses that attempt to discharge all conditions automatically (but which cannot even in principle handle environmental assumptions), and at the other, flow- or contextinsensitive analyses that require more user involvement. The results of the analysis suggested a variety of ways in which the dependability of the system might be improved.

Abstract—In recent work, we have argued for a formal treatment of confidence about the claims made in dependability cases for software-based systems. The key idea underlying this work is “the inevitability of uncertainty”: It is rarely possible to assert that a claim about safety or reliability is true with certainty. Much of this uncertainty is epistemic in nature, so it seems inevitable that expert judgment will continue to play an important role in dependability cases. Here, we consider a simple case where an expert makes a claim about the probability of failure on demand (pfd) of a subsystem of a wider system and is able to express his confidence about that claim probabilistically. An important, but difficult, problem then is how such subsystem (claim, confidence) pairs can be propagated through a dependability case for a wider system, of which the subsystems are components. An informal way forward is to justify, at high confidence, a strong claim, and then, conservatively, only claim something much weaker: “I’m 99 percent confident that the pfd is less than 10 5, so it’s reasonable to be 100 percent confident that it is less than 10 3. ” These conservative pfds of subsystems can then be propagated simply through the dependability case of the wider system. In this paper, we provide formal support for such reasoning. Index Terms—Bayesian probability, safety case, software reliability. Ç