安全关键软件防危性评测方法研究

分析军用软件的高可靠性要求及军用安全关键软件防危性评测的必要性,确定防危性评估指标.提出利用基于重要性采样及加速测试技术下的软件防危性测试数据,建立小子样条件下基于贝叶斯估计的软件防危性评测方法.以非齐次泊松过程(NHPP)软件可靠性评估模型为例,利用自助法采样确定模型参数的验前分布,利用贝叶斯估计进行参数的验后计算得到模型估计值,联合测试加速度因子计算得到软件实际事故率评估值.算例分析表明,该评测过程具有一定合理性和可行性.     

矿用产品安全标志认证现场评审与中国强制性产品认证工厂检查管理差异性分析

介绍了矿用产品安全标志认证和中国强制性产品认证的发展历程,总结了矿用产品安全标志认证现场评审和中国强制性产品认证工厂检查的有关管理情况,从评审依据、评审员管理、评审费等方面比对分析了两者的差异性,从而达到相互借鉴的目的。     

Facilitating construction of safety cases from formal models in Event-B

ContextCertification of safety–critical software systems requires submission of safety assurance documents, e.g., in the form of safety cases. A safety case is a justification argument used to show that a system is safe for a particular application in a particular environment. Different argumentation strategies (informal and formal) are applied to determine the evidence for a safety case. For critical software systems, application of formal methods is often highly recommended for their safety assurance.ObjectiveThe objective of this paper is to propose a methodology that combines two activities: formalisation of system safety requirements of critical software systems for their further verification as well as derivation of structured safety cases from the associated formal specifications.MethodWe propose a classification of system safety requirements in order to facilitate the mapping of informally defined requirements into a formal model. Moreover, we propose a set of argument patterns that aim at enabling the construction of (a part of) a safety case from a formal model in Event-B.ResultsThe results reveal that the proposed classification-based mapping of safety requirements into formal models facilitates requirements traceability. Moreover, the provided detailed guidelines on construction of safety cases aim to simplify the task of the argument pattern instantiation for different classes of system safety requirements. The proposed methodology is illustrated by numerous case studies.ConclusionFirstly, the proposed methodology allows us to map the given system safety requirements into elements of the formal model to be constructed, which is then used for verification of these requirements. Secondly, it guides the construction of a safety case, aiming to demonstrate that the safety requirements are indeed met. Consequently, the argumentation used in such a constructed safety case allows us to support it with formal proofs and model checking results used as the safety evidence.     

Software processes, assessment and ISO 9000-certification: A user's view

The Austrian Research Centre Seibersdorf and its IT-Department are involved in the development of critical computer systems and in standardization in this field for many years (SAFECOMP '89, '90, '91, '93, IEC SC 65A WG9 and WG10, IEC TC 56, partners in the European initiative ESPITI and the networks ENCRESS and OLOS). The certification process for ISO 9001 started with a pre-audit in December 1993, and the certificate was successfully achieved at the end of June 1994. ISO 9000–3 (somehow more process-related than ISO 9001) and the ESA Software Engineering Standards (lifecycle model, process models) were the key input to the Quality Management (QM) System of the IT-Department. Additionally, the Department of Information Technology has successfully applied for a BOOTSTRAP license early in 1994. Four members of the staff of the IT department are qualified as external BOOTSTRAP assessors at the moment. In preparation for ISO 9000-certification and during BOOTSTRAP-training we learnt much about organizations, process improvement and project management, especially by reviewing our own processes critically as well as reviewing the impact and relevance of the schemes to follow when ISO 9000 certification or BOOTSTRAP licensing is the goal to achieve. Direct as well as indirect business benefits were achieved.     

An instrument for measuring the success of the requirements engineering process in information systems development

There exists a strong motivation for evaluating, understanding, and improving requirements engineering practices given that a successful requirements engineering process is necessary for a successful software system. Measuring requirements engineering success is central to evaluation, understanding, and improving these practices. In this paper, a research study whose objective was to develop an instrument to measure the success of the requirements engineering process is described. The domain of this study is developing customer-specific business information systems. The main result is a subjective instrument for measuring requirements engineering success. The instrument consists of 32 indicators that cover the two most important dimensions of requirements engineering success. These two dimensions were identified during the study to be: quality of requirements engineering products and quality of requirements engineering service. Evidence is presented demonstrating that the instrument has desirable psychometric properties, such as high reliability and good validity.This paper is a longer and more detailed version of the study reported in El Emam and Madhavji (1995).This work was supported in part by the IT Macroscope Project and NSERC Canada.     

A Framework for Improving the Requirements Engineering Process Management

This paper presents a system dynamics model for improving the requirements engineering process management. The paper argues that improving RE process management improves the quality of the specification produced. It uses a simulation modelling approach to capture the complex and dynamic nature of quality and also the cost of resources and time needed to complete the process. Current claims by various researchers and empirical evidence has led to our proposition that “the earlier in the requirements engineering phase that system dynamics simulation modelling is used, the more effective the RE process management is and the better its product quality will be.” In developing such a model, the paper fills an important gap in the RE process management literature and has potential to provide requirement engineers, managers and software development organisations with a model-based process framework to aid quality assessment and improvement. The paper concludes by suggesting that the framework makes a useful contribution both in providing the foundations for theory building in RE process management and quality improvement by aiding shared understanding through learning and training situations. This revised version was published online in August 2006 with corrections to the Cover Date.     

火电厂综合安全评价模型的构建与应用

将模糊层次分析法、集对分析和系统功能论集于一体,构建了一个适用于火电企业的综合安全评价模型,不但考虑了影响火电厂安全的关键因素,而且可对火电厂安全因素之间的相互作用的协调性做量化分析,并将其结果构造系统优势函数,以解决系统安全功能大于各子系统安全功能之和的问题。实例表明该综合安全评价模型能够整合火电厂中各安全因素内在联系和非线性影响,使安全评价趋于合理,为企业安全生产管理提供科学的依据。     

Bedside safety rails: assessment of strength requirements and the appropriateness of current designs

This second paper in a series of studies of the discomfort produced by multi-axis vibration is concerned with rotational seat vibration. The effects of level, frequency and direction of the roll, pitch and yaw vibration of a firm flat seat have been studied in two experiments. At octave centre frequencies in the range 1-31.5 Hz the first experiment determined the levels of roll, pitch and yaw seat vibration which caused discomfort equivalent to 0-5 and l.25m/s²r.m.s. 10 Hz vertical seat vibration. In the second experiment, comfort contours equivalent to 0.8 m/s² r.m.s. 10 Hz vertical seat vibration were determined from 18 males and 18 females at preferred third-octave centre frequencies from 1 to 31.5 Hz. In all cases the axis of rotation passed through the centre of the seat surface. There was no vibration of the feet and no backrest.

It was concluded that the shape of equivalent comfort contours need not normally depend on vibration, level. Both individual and group equivalent comfort contours are presented. Although there were significant correlations between subject size and subject relative discomfort it is not thought that these correlations have much practical application. In all three axes the median contours of vibration acceleration increase in proportion to vibration frequency. Sensitivity is greatest for roll vibration and least for yaw vibration of the seat.     

Evidence management for compliance of critical systems with safety standards: A survey on the state of practice

ContextDemonstrating compliance of critical systems with safety standards involves providing convincing evidence that the requirements of a standard are adequately met. For large systems, practitioners need to be able to effectively collect, structure, and assess substantial quantities of evidence.ObjectiveThis paper aims to provide insights into how practitioners deal with safety evidence management for critical computer-based systems. The information currently available about how this activity is performed in the industry is very limited.MethodWe conducted a survey to determine practitioners’ perspectives and practices on safety evidence management. A total of 52 practitioners from 15 countries and 11 application domains responded to the survey. The respondents indicated the types of information used as safety evidence, how evidence is structured and assessed, how evidence evolution is addressed, and what challenges are faced in relation to provision of safety evidence.ResultsOur results indicate that (1) V&V artefacts, requirements specifications, and design specifications are the most frequently used safety evidence types, (2) evidence completeness checking and impact analysis are mostly performed manually at the moment, (3) text-based techniques are used more frequently than graphical notations for evidence structuring, (4) checklists and expert judgement are frequently used for evidence assessment, and (5) significant research effort has been spent on techniques that have seen little adoption in the industry. The main contributions of the survey are to provide an overall and up-to-date understanding of how the industry addresses safety evidence management, and to identify gaps in the state of the art.ConclusionWe conclude that (1) V&V plays a major role in safety assurance, (2) the industry will clearly benefit from more tool support for collecting and manipulating safety evidence, and (3) future research on safety evidence management needs to place more emphasis on industrial applications.     

Using an objective method for managing the implementation of quality certification in the industry

With their generalized use as a competitive strategy, Quality Management Systems (QMSs) have become an important management and development tool in industrial companies. There have been numerous studies of the different factors involved in their implementation, but none have considered which of these factors generate a greater propensity to seek certification in these companies. It is important to quantify these factors with the aim of determining their influence on the implementation of an ISO 9000 norm certified QMS.     

A mathematical model to minimize the inventory and transportation costs in the logistics systems

In this paper we consider a logistics system for parts manufacturer distribution center(depot) to supply the parts to the parent company. And we formulate the mathematical model to minimize the sum of inventory holding costs at the depot, and the transportation and inventory costs at parts manufacturer.

We apply the model to an actual automobile parts manufacturer to demonstrate the effectiveness of the proposed model.     

A decision support system for cooperative transportation planning: Design,implementation, and performance assessment

In this paper, we describe a decision support system for cooperative transportation planning in the German food industry where several manufacturing companies share their fleets to reduce transportation costs. Besides using vehicles of their fleets, there are different outsourcing options offered by logistics service providers, but these are much more expensive. The decision-making kernel of the decision support system is implemented as a multi-agent-system (MAS). The kernel provides a distributed hierarchical algorithm for cooperative transportation planning and an on-line data layer that contains all the information for decision making. We sketch the distributed hierarchical transportation planning algorithm and identity the required software agents. The MAS interacts via web services with a commercial tour planning system that persistently stores the resulting tour plans, orders, and customer data. Moreover, the tour planning system is used to offer graphical user interfaces to interact with the users. The data layer is updated by order and customer data from the ERP systems of the different manufacturing companies. We describe the architecture and the implementation of the MAS and the overall coupling framework. Furthermore, we discuss the simulation-based performance assessment of the resulting decision support system when the system is applied in a rolling horizon setting and present some computational results. The results demonstrate that the MAS approach is appropriate for the cooperative transportation planning domain.     

On the limitations of software process assessment and the recognition of a required re-orientation for global process improvement

Through the years many techniques and tools have been tried and failed to deliver substantial global improvements to the software evolution process. The flavour of the early 1990s has been: attempted improvement using software process assessment methods such as CMM, BOOTSTRAP, etc. This paper represents a considerable and coherent critique of software process assessment as a process improvement driver, focusing on the concerns and perceived shortcomings present. A call is made to re-direct attention and resources towards understanding the true nature of software evolution and the software evolution process towards an adequate theory and practice for process improvement, all in order to save us from the computer. The important, possibly crucial role of feedback at many levels of the organizations that follow the processes that implement software development and maintenance is discussed. Utilizing some empirical findings in relation to software system evolution, it is suggested that the ignoring of feedback may be a major reason why the software process is so difficult to improve. It is argued that the clarification of such an important issue will help to achieve a significant step forward in process improvement, and through its exploitation, lead to significant improvements in quality, satisfaction and performance as well as more relevant education and training on process improvement.     

An interpretive model of occupational safety performance for Small- and Medium-sized Enterprises

Several conceptual models of Occupational Safety and Health and (OSH) performance have been proposed by researchers. However, these models are not fully exploitable by Small- and Medium-sized Enterprises' (SME) managers and entrepreneurs because they do not take into account the particular factors and the particular structure of the cause-to-effect chain of interactions characterizing all the relevant OSH factors and the safety performance of an SME, in an intervention-oriented way through a complete view of the issue. In the light of the above, this paper proposes a systemic, intervention-oriented model of safety performance specifically designed for the SMEs. The design of the model required the identification of all the OSH factors relevant for SMEs. Using a Focus group approach, these factors have been detailed into sub-factors and grouped into affinity areas. The sub-factors provide an operational definition of the factors, useful to assess the characteristics of the company and to identify possible single interventions, while the affinity areas allow an understanding of the main dimensions that a decision maker should consider in an intervention policy. Finally, using the Interpretive Structural Modeling technique, the affinity areas have been worked into a hierarchical structure, representing the cause-to-effect chain characterizing the safety performance of an SME.     

A safety shell for UML-RT projects structure and methods of the corresponding UML pattern

A safety shell pattern was defined based on a re-configuration management pattern and inspired by the architectural specifications in Specification PEARL. It is meant to be used for real-time applications to be developed with UML-RT as described. The implementation of the safety shell features as defined in Kornecki and Zalewski (Software Development for Real-Time Safety—Critical Applications. Software Engineering Workshop—Tutorial Notes, 29th Annual IEEE/NASA 03, pp 1–95, 2005), namely, its timing and state guards as well as I/O protection and exception handling mechanisms, is explained. The pattern is parameterised by defining the properties of its components as well as by defining the mapping between software and hardware architectures. Initial and alternative execution scenarios as well as the method for switching between them are defined. The goal pursued with the safety shell is to obtain clearly specified operation scenarios with well-defined transitions between them. To achieve safe and timely operation, the pattern must provide safety shell mechanisms for an application designed, i.e., enable its predictable deterministic and temporally predictable operation now and in the future.     

A simple model of driver behaviour to sustain design and safety assessment of automated systems in automotive environments

This paper proposes a structure for an “active” model of driver that enables to predict behaviour and performances in dynamic changing traffic conditions, with potential application both offline and online. A simple prototype of the system has been realised in software, and has been compared against observed data in a rudimentary validation. The comparison reveals that the software's outputs accord reasonably with the observed values, not only in terms of central tendency but also in terms of capability to predict the between-driver variability. The next step is to create a system capable of identifying driver characteristics and state from observed data. However, further research is needed in order to expand the model in several dimensions, primarily to represent more complex scenarios in the presence of advanced automation technologies.     

A geometric model for an effective rescheduling after reducing service in public transportation systems

Railway systems in metropolitan areas carry a high density of traffic daily, heterogeneously distributed, and exposed to the negative consequences derived from service disruptions. An interesting topic in the literature is to obtain performance protocols in the presence of contingencies which can affect the system operation, avoiding the propagation of perturbation and minimizing its consequences. The objective of this paper is to assess the decision of rescheduling the train service, reducing the current supply along one transportation line in order to reinforce the service of another line, exploited by the same public operator, which has suffered an incidence or emergency. A methodology, based on a geometric representation of solutions which allows the use of discrete optimization techniques, is developed in order to attend to the underlying demand with efficiency criteria in this context of unexpected incidents.     

基于改进的模糊层次分析法的信息系统安全态势评估模型

对已有的安全态势评估方法进行了详细分析和比较,针对现有态势评估方法中存在的主观随机性,结合信息系统规模庞大、结构复杂、信息交互频繁等问题,依据层次分析法AHP基本原理建立了信息系统安全态势评估指标体系。针对现有的模糊层次分析法FAHP存在的一致性问题,提出了新的一致性修正算法并将其应用到了安全态势评估中。另外,吸收了模糊综合评价方法 FCE计算态势值的技术,建立了一种新的安全态势评估模型—层次分析法-改进的模糊层次法-模糊综合评价法模型(AHP-IFAHP-FCE)。介绍了该模型的组成原理,给出了具体构成方法,描述了各个步骤的主要任务。实验结果表明,在信息系统安全态势评估方面,该模型比已有的模型更加有效、更加准确。     

A path analysis model of individual variables predicting safety behavior and human error: The mediating effect of situation awareness

Situation awareness is often argued to be an indicator of safety performance. Several factors may influence situation awareness that need to be identified and analyzed. This study investigated the influence of some variables on safety performance and examined the mediating effect of situation awareness. This study was conducted on 601 workers of different industries in Iran. All variables were measured via a multi-sectional questionnaire in a self-report manner. Path analysis modeling was used for data analysis. To measure the validity of the model, the RMSEA, CFI, and R² coefficients were employed. The results revealed that safety knowledge and sleepiness had significant direct and indirect effects on safety behavior and human error. Fatigue had only a mediating effect on safety behavior and error via situation awareness. Safety locus of control had only a mediating effect on human error through situation awareness. Whereas better safety knowledge and an internal safety locus of control could boost siaituation awareness, daily sleepiness and fatigue had significant, detrimental effects on situation awareness. These variables explained 38% of the variations in situation awareness. A proportion of the effect of personal variables on safety behavior and human error was mediated by situation awareness; thus, situation awareness is the direct cause of some safe behaviors and human errors.