Computer Safety, Reliability, and Security

WelcometoRotterdamandtotheInternationalConferenceSafecomp2000,on thereliability,safetyandsecurityofcriticalcomputerapplications. Thisalready marksthe19thyearoftheconference,showingtheundiminishedinterestthe topicelicitsfrombothacademiaandindustry. Safecomphasproventobean excellentplacetomeetandhavediscussions,andwehopethistrendcontinues thisyear. Peopleandorganisationsdependmoreandmoreonthefunctioningofc- puters. Whetherinhouseholdequipment,telecommunicationsystems,o?ce- plications,banking,peoplemovers,processcontrolormedicalsystems,theoft- embeddedcomputersubsystemsaremeanttoletthehostingsystemrealiseits intendedfunctions. Theassuranceofproperfunctioningofcomputersin- pendableapplicationsisfarfromobvious. Themillenniumstartedwiththebug andthefullendorsementoftheframeworkstandardIEC61508. Thevariety ofdependablecomputerapplicationsincreasesdaily,andsodoesthevarietyof risksrelatedtotheseapplications. Theassessmentoftheserisksthereforeneeds re?ectionandpossiblynewapproaches. Thisyear'sSafecompprovidesabroad mixofpapersontheseissues,onprogressmadeindi?erentapplicationdomains andonemergingchallenges. Oneofthespecialtopicsthisyearistransportandinfrastructure. Onewould behardpressedto?ndabetterplacetodiscussthisthaninRotterdam.The reliability,safetyandsecurityofcomputersisofprominentimportancetoRott- dam,asafewexamplesillustrate. Itsharbourdependsonthereliablefunctioning ofcontainerhandlingsystems,onthesafefunctioningofitsradarsystems,and, asofrecently,onthesafeandreliablefunctioningoftheenormousstormsurge barrieratHoekvanHolland. AnewtopicforSafecompis medicalsystems. Theseprogressivelydepend on-embedded-programmableelectronicsystems. Experienceshowsthatthe medicalworldlacksthemethodsforapplyingthesesystemssafelyandreliably. Wewelcomeagroupofpeoplereadytodiscussthistopic,andhope,bydoing so,tocontributetothis?eldofapplicationsofsafe,reliableandsecuresystems. SoftwareprocessimprovementalsorepresentsaspecialtopicofSafecomp 2000. Itprovedtobethemostfruitfulofthethreeintermsofsubmittedpapers. Thereweremanycontributionsfromahostofcountries,whichhadtobespread amongstdi?erentsessiontopics. WewishtothanktheInternationalProgramCommittee'smembers,41in total,fortheire?ortsinreviewingthepapersandfortheirvaluableadvicein organisingthisconference. Wearealsogratefulfortheircontributiontod- tributingcallsforpapersandannouncements. Withouttheirhelptheburdenof organisingthisconferencewouldhavebeenmuchgreater.VI Preface Finally,letusonceagainwelcomeyoutoRotterdam,atrulyinternational cityandhometopeopleofmanynationalities. Wehopeyoutakethetimenot onlytoenjoythisconference,butalsoto?ndyourwayaroundthecity,sinceit surelyhasmuchtoo?er. FloorKoornneef MeinevanderMeulen Table of Contents InvitedPaper TheTenMostPowerfulPrinciplesforQualityin(Softwareand) SoftwareOrganizationsforDependableSystems...1 TomGilb Veri?cationandValidation EmpiricalAssessmentofSoftwareOn-LineDiagnostics UsingFaultInjection...14 JohnNapier,JohnMayandGordonHughes Speeding-UpFaultInjectionCampaignsinVHDLModels...27 B. Parrotta,M. Rebaudengo,M. SonzaReordaandM. Violante Speci?cationandVeri?cationofaSafetyShellwithStatechartsand ExtendedTimedGraphs...37 JanvanKatwijk,HansToetenel,Abd-El-KaderSahraoui,EricAnderson andJanuszZalewski ValidationofControlSystemSpeci?cationswithAbstractPlantModels...53 WenhuiZhang AConstantPerturbationMethodforEvaluation ofStructuralDiversityinMultiversionSoftware...63 LupingChen,JohnMayandGordonHughes ExpertError:TheCaseofTrouble-ShootinginElectronics...74 DenisBesnard TheSafetyManagementofData-DrivenSafety-RelatedSystems ...86 A. G. Faulkner,P. A. Bennett,R. H. Pierce,I. H. A. Johnston andN.Storey SoftwareSupportforIncidentReportingSystems inSafety-CriticalApplications...96 ChrisJohnson SoftwareProcessImprovement ADependability-ExplicitModelfortheDevelopment ofComputingSystems...107 MohamedKaan iche,Jean-ClaudeLaprieandJean-PaulBlanquart VIII Table ofContents DerivingQuanti?edSafetyRequirementsinComplexSystems ...117 PeterA. Lindsay,JohnA. McDermidandDavidJ. Tombs ImprovingSoftwareDevelopmentbyUsing SafeObjectOrientedDevelopment:OTCD...131 XavierM'ehautandPierreMor'ere ASafetyLicensablePESforSIL4Applications...141 WolfgangA. Halang,PeterVogrinandMatja?zColnari?c SafetyandSecurityIssuesinElectricPowerIndustry ...151 ? Zdzis lawZurakowski DependabilityofComputerControlSystemsinPowerPlants ...165 Cl'audiaAlmeida,AlbertoArazo,YvesCrouzetandKaramaKanoun AMethodofAnalysisofFaultTreeswithTimeDependencies ...176 JanMagottandPawe lSkrobanek Formal Methods AFormalMethodsCaseStudy:UsingLight-WeightVDM fortheDevelopmentofaSecuritySystemModule...187 GeorgDroschl,WalterKuhn,GeraldSonneckandMichaelThuswald FormalMethods:TheProblemIsEducation...198 ThierryScheurer FormalMethodsDi?usion:PastLessonsandFutureProspects...211 R. Bloom?eld,D. Craigen,F. Koob,M. UllmannandS.Wittmann InvitedPaper SafeTech:AControlOrientedViewpoint...227 MaartenSteinbuch SafetyGuidelines,StandardsandCerti?cation DerivationofSafetyTargetsfortheRandomFailure ofProgrammableVehicleBasedSystems...240 RichardEvansandJonathanMo?ett IEC61508-ASuitableBasisfortheCerti?cation ofSafety-CriticalTransport-InfrastructureSystems??...250 DerekFowlerandPhilBennett Table of Contents IX HardwareAspects AnApproachtoSoftwareAssistedRecovery fromHardwareTransientFaultsforRealTimeSystems...264 D. BasuandR. Paramasivam ProgrammableElectronicSystemDesign&Veri?cationUtilizingDFM...275 MichelHoutermans,GeorgeApostolakis,AarnoutBrombacher andDimitriosKarydas SIMATICS7-400F/FH:Safety-RelatedProgrammableLogicController...286 AndreasSchenk SafetyAssessmentI AssessmentoftheReliabilityofFault-TolerantSoftware: ABayesianApproach...294 BevLittlewood,PeterPopovandLorenzoStrigini EstimatingDependabilityofProgrammableSystemsUsingBBNs...309 BjornAxelGran,GustavDahll,SiegfriedEisinger,EivindJ. Lund, JanGerhardNorstrom,PeterStrockaandBrittJ. Ystanes DesignforSafety ImprovementsinProcessControlDependability throughInternetSecurityTechnology...321 FerdinandJ.Dafelmair ASurveyonSafety-CriticalMulticastNetworking ...333 JamesS. PascoeandR. J. Loader InvitedPaper CausalReasoningaboutAircraftAccidents...344 PeterB. Ladkin Transport&Infrastructure ControllingRequirementsEvolution:AnAvionicsCaseStudy...361 StuartAndersonandMassimoFelici HAZOPAnalysisofFormalModels ofSafety-CriticalInteractiveSystems...