Safety of embedded software

Traditional safety techniques were created 40-50 years ago for electro-mechanical systems. The underlying assumptions of these techniques about the cause of accidents (e.g., component failure) do not match software nor do they match the types of accidents we are having that are related to software. As a result, a large number of accidents are now related to software, although usually the pilot (for aircraft) or other human operators are blamed. Often, the software design leads to the operator errors. We will describe the problems with software that are leading to accidents (primarily in the requirements) and how to deal with them. Most of the current approaches rely on reducing "failures" although software does not fail. Something else is needed. In the tutorial we will present a new accident causality model (STAMP) and teach how to use a new hazard analysis technique (STPA) based on it that can be used on complex, software-intensive systems. The topics will include how to generate software safety requirements from an STPA hazard analysis and how to design software that does not induce human error. The tutorial will be based on a new book, Engineering a Safer World by Nancy Leveson and published in January 2012 by MIT Press.