CONFERENCE PROCEEDINGS OF REFEREED PAPERS

CONFERENCE PROCEEDINGS
OF
REFEREED PAPERS
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Proceedings of the Improving Systems and Software Engineering Conference (ISSEC)
Achieving the Vision
Canberra, 10-12 August 2009
Editor: Angela Tuffley
All papers contained in these Proceedings have been subjected to anonymous peer review by
at least two members of the review panel.
Publication of any data in these proceedings does not constitute a recommendation. Any
opinions, findings or recommendations expressed in this publication are those of the authors
and do not necessarily reflect the views of the conference sponsors. All papers in this
publication are copyright (but have been released for reproduction) by their respective authors
and/or organisations.
ISBN: 978-0-9807680-0-8
CONFERENCE SECRETARIAT
Eventcorp Pty Ltd
PO Box 3873
South Brisbane BC QLD 4101
AUSTRALIA
Tel: +617 3334 4460
Fax: +617 3334 4499
2
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
CONTENTS
ABSTRACTS AND BIOGRAPHIES
SYSTEMS ENGINEERING AND SYSTEMS INTEGRATION
THE EFFECT OF THE DISCOVERY OF ADDITIONAL WORK ON THE DYNAMIC
PROJECT WORK MODEL .................................................................................................................. 15
PETER A.D. BROWN, ALAN C. MCLUCAS, MICHAEL J. RYAN
LESSONS LEARNED FROM THE SYSTEMS ENGINEERING MICROCOSM SANDPIT..... 27
QUOC DO, PETER CAMPBELL, SHRAGA SHOVAL, MATTHEW J. BERRYMAN, STEPHEN COOK, TODD
MANSELL AND PHILLIP RELF
MAKING ARCHITECTURES WORK FOR ANALYSIS ................................................................ 37
RUTH GANI, SIMON NG
SYSTEMS ENGINEERING IN-THE-SMALL: A PRECURSOR TO SYSTEMS ENGINEERING
IN-THE-LARGE...................................................................................................................................... 49
PHILLIP A. RELF, QUOC DO, SHRAGA SHOVAL, TODD MANSELL, STEPHEN COOK, PETER CAMPBELL,
MATTHEW J. BERRYMAN
SOFTWARE ENGINEERING
REQUIREMENTS MODELLING OF BUSINESS WEB APPLICATIONS: CHALLENGES
AND SOLUTIONS .................................................................................................................................. 65
ABBASS GHANBARY, JULIAN DAY
DESIGN UNCERTAINTY THEORY - EVALUATING SOFTWARE SYSTEM
ARCHITECTURE COMPLETENESS BY EVALUATING THE SPEED OF DECISION
MAKING .................................................................................................................................................. 77
TREVOR HARRISON, PROF. PETER CAMPBELL, PROF. STEPHEN COOK, DR. THONG NGUYEN
PROCESS IMPROVEMENT
APPLYING BEHAVIOR ENGINEERING TO PROCESS MODELING....................................... 95
DAVID TUFFLEY, TERRY ROUT
SAFETY MANAGEMENT AND ENGINEERING
KEYNOTE ADDRESS AND PAPER
BRINGING RISK-BASED APPROACHES TO SOFTWARE DEVELOPMENT PROJECTS 111
FELIX REDMILL
MODEL-BASED SAFETY CASES USING THE HIVE WRITER................................................. 123
TONY CANT, JIM MCCARTHY, BRENDAN MAHONY AND KYLIE WILLIAMS
THE APPLICATION OF HAZARD RISK ASSESSMENT IN DEFENCE SAFETY
STANDARDS ......................................................................................................................................... 135
C.B.H. EDWARDS; M. WESTCOTT; N. FULTON
INTEGRATING SAFETY AND SECURITY INTO THE SYSTEM LIFECYCLE .................... 147
BRUCE HUNTER
WHAT CAN THE AGENT PARADIGM OFFER SAFETY ENGINEERING? .......................... 159
LOUIS LIU, ED KAZMIERCZAK AND TIM MILLER
COMPLEXITY & SAFETY: A CASE STUDY................................................................................. 171
GEORGE NIKANDROS
3
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Programme Committee and Peer Review Panel
Programme Chair
Angela Tuffley (Griffith University)
Systems Engineering Chair
Stephen Cook (DASI, University of South Australia)
Software Engineering Chair
Leon Sterling (University of Melbourne)
Systems Integration Chair
Todd Mansell (Defence Science & Technology Organisation)
Process Improvement Chair
Terry Rout (Software Quality Institute, Griffith University)
Safety Management and Engineering Chair
Tony Cant (Defence Science & Technology Organisation)
Committee and Review Panel Members
Wesley Acworth
Viviana Mascardi
Warwick Adler
Tariq Mahmood
Matt Ashford
Brendan Mahony
Judy Bamberger
Duncan McIntyre
Clive Boughton
Tafline Murnane
Peter Campbell
George Nikandros
David Carrington
Adrian Pitman
Quoc Do
Phillip A. Relf
Tim Ferris
Stephen Russell
Aditya Ghose
Mark Staples
Jim Kelly
Paul Strooper
Martyn Kibel
Kuldar Taveter
Peter Lindsay
Richard Thomas
4
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
ABSTRACTS AND BIOGRAPHIES
“The Effect of the Discovery of Additional Work on the Dynamic Project Work Model”
- Peter Brown
ABSTRACT
In their paper “Knowledge sharing and trust in collaborative requirements analysis”, Luis Luna-Reyes
et al built on the body of system dynamics knowledge to propose a model of project work that
demonstrates key dynamic elements of IT projects. By expanding the model to include additional
criteria, useful insights into the likely impact of work required to achieve essential project outcomes –
but not identified at the beginning of a project – can be derived.
Essential new work discovered during the course of a project increases a project’s scope, requiring replanning. In addition to the relatively straight-forward scope increase resulting from undiscovered
work, work discovered late in a project usually requires some of the work already completed
satisfactorily – particularly integration work, testing and sometimes design and fabrication – to be redone. Where scope changes resulting from these two impacts are significant, re-approval or even
project termination may result.
Organisations can use insights gained through application of the expanded model to improve initial
project planning and more effectively manage ‘unknowns’ associated with project scope.
BIOGRAPHY
In 2004, following a successful career in the RAAF, Peter joined KoBold Group, a rapidly growing
services and systems company recognised in both government and commercial sectors for innovative,
high quality systems solutions and implementations. Peter is currently part of the Customs project
team responsible for managing the Australian Maritime Identification System Program, a high profile,
national maritime security-related initiative. Peter teaches engineering management and systems
dynamics at UNSW (ADFA) in a part-time capacity and is currently enrolled in a research degree into
the system dynamics aspects of project management through the School of Information Technology
and Electrical Engineering.
“Lessons Learned from the Systems Engineering Microcosm Sandpit” – Quoc Do
ABSTRACT
Lessons learned can be highly valuable to engineering projects. They provide a means for systems
engineers to thoroughly investigate and anticipate potential project risks before starting the project.
Up-front analysis of the end-to-end process pays on-going dividends. This paper describes: 1) an
evolutionary Microcosm for investigating systems integration issues, fostering model-based systems
engineering research, and accelerating systems engineering education; 2) the lessons learned during
the first stage of the Microcosm development; 3) how these lessons learned have informed the design
and implementation of the Microcosm Stage Two. Interestingly, the lessons learned from the
Microcosm Stage One reflect many of the common lessons learned found in much larger industry
projects. This demonstrates the Microcosm Sandpit’s capability in replicating a wide range of systems
development issues common to complex systems. Thus it provides an ideal environment for systems
engineering education, training and research.
BIOGRAPHY
Dr. Quoc Do works at the Defence and Systems Institute (DASI), University of South Australia. He
completed his B.Eng, M.Eng and PhD at the University of South Australia in 2000, 2002 and 2006
respectively. His research interests are in the areas of mobile robotics (UAVs & UGVs), vision
systems, systems engineering and systems integration research and education, and model-based
systems engineering.
5
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
“Making Architectures Work For Analysis” - Ruth Gani
ABSTRACT
The Department of Defence mandates an architectural approach to developing and specifying
capability. According to the Chief Information Office Group, application of the Defence Architectural
Framework ‘enables ICT architectures to contribute to effectively acquiring and implementing
business and military capabilities, ensuring interoperability, and value for money and can be used to
enhance the decision making process’ . Architectural views form a component of the Operational
Concept Document for each major project within Defence. However, the utility of architectures is
often limited by poor appreciation of their potential to support design decisions.
In support of a key Defence capability acquisition project, the Defence Science and Technology
Organisation used project architectural data to support analysis of the risks associated with the
integration of the capability into the broader Defence Information Environment (DIE). Key to the
analysis were:
x transformation of the architectural data into an analytically tractable form;
x creation of a comprehensive database open to querying; and
x presentation of results in a manner meaningful to decision-makers.
Results were expressed in terms of the impact that poor compliance with accepted DIE standards
would have on the ability of the proposed system to conduct operational missions. The methodology
used provides a template for future effective analytical use of architectures—important if Defence is to
make best use of the architectural information required for each project. The study also highlights the
importance of building an architecture with a view to its purpose and touches on the challenges of
stove-piped architectural development.
BIOGRAPHY
Ruth Gani has worked for Defence Science Technology Organisation since 2001. She has been
involved in range of studies, including analysis to support capability acquisition, architecture
development and evaluation and technology trending.
“Systems Engineering In-The-Small: A Precursor to Systems Engineering In-TheLarge” - Phillip A. Relf
ABSTRACT
The teaching of the systems engineering process is made problematic due to the enormity of
experience required of a practising systems engineer. A ‘gentle’ project-based introduction to systems
engineering practice is currently being investigated under the Microcosm programme. The
Microcosm programme integrates a robotics-based system-of-systems, as the first stages in building a
systems engineering teaching environment. Lessons learnt have been collected from the Microcosm
Stage One project and the systems engineering processes, used during the project, have been captured.
This paper analyses the processes and lessons learnt, compares them against typical large-scale
Defence systems engineering projects, and discusses the lesson learnt captured by the systems
engineers who had been working in-the-small. While executing the case study it was found that the
lessons learnt which are known to industry, would have been militated against their occurrence by the
use of robust industrial systems engineering processes but that the Microcosm project schedule, with
these industrial processes, would have been exceeded. As the Microcosm Stage One project was
successfully completed, effort must now be expended to ensure that the participants understand the
limitations and strengths of systems engineering in-the-small procedures and also understand the
issues associated with the scaling up of the procedures.
BIOGRAPHY
Dr. Phillip Anthony Relf gained his PhD from the Engineering faculty of the University of
Technology, Sydney Australia. He has over three decades experience in large system integration, most
of which was gained while working in the Defence industry.
6
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
“Requirements Modelling of Business Web Applications: Challenges and Solutions” Abbass Ghanbary
ABSTRACT
The success of web application development projects greatly depend upon the accurate capturing of
the business requirements. This paper discusses the limitations of the current modelling techniques
while capturing the business requirements in order to engineer a new software system. These
limitations are identified by modelling the flow of information in the process of converting user
requirements to a physical system. This paper also defines the factors that influence the change in
business requirements. Those captured business requirements are then transferred into pictorial and
visual illustrations in order to simplify the complex project. In this paper, the authors define the
limitations of the current modelling techniques while communicating those business requirements with
various stakeholders. The authors in this paper also review possible solutions for those limitations
which will form the basis for a more systematic investigation in the future.
BIOGRAPHY
Abbass Ghanbary (PhD) has completed his PhD at the University of Western Sydney. Abbass is
focused on the issues and challenges faced by business integration modelling techniques, investigating
the improvements of the Web Services applications across multiple organisations. Abbass is also a
consultant in the industry in addition to his lecturing and tutoring in the university. He is a member of
Australian Computer Society and is active in attending various forums, seminars and discussion.
Abbass is also a committee member of the Quantitative Enterprise Software Performance (QESP)
association.
“DESIGN UNCERTAINTY THEORY - Evaluating Software System Architecture
Completeness by Evaluating the Speed of Decision Making” - Trevor Harrison
ABSTRACT
There are two common approaches to software architecture evaluation [Spinellis09, p.19]. The first
class of evaluation methods determines properties of the architecture, often by modelling or simulation
of one or more aspects of the system. The second, and broadest, class of evaluation methods is based
on questioning the architects to assess the architecture. This research paper details a third, more finegrained approach to evaluation by assuming an architecture emanates from a large set of design and
design-related decisions. Evaluating an architecture by evaluating decision making and decision
rationale is not new (see Section 3). The novel approach here is to base an evaluation largely on the
time dimensions of decision making. These time dimensions are (1) time allowed for architecting,
and (2) speed of architecting. It is proposed that progress of architecture can be measured at any point
in time. For example: “Is this project on track during the concept development stage of a system life
cycle?” The answer can come from knowing how many decisions should be expected to be finalised
at a particular moment in time, taking into account a plethora of human factors affecting the prevailing
decision-making environment. Though aimed at ongoing evaluations of large military software
architectures, the literature review for this research will examine architectural decisions from the
disciplines of systems engineering, information technology, product management and enterprise
architecture.
BIOGRAPHY
Trevor Harrison's research interests are in software systems architecture and knowledge management.
His background is in software development (real-time information systems), technology change
management and software engineering process improvement. Before studying full-time for a PhD, he
spent 6 years with Logica and 11 years with the Motorola Australia Software Centre. He has a
BSc(Hons) in Information Systems from Staffordshire University and an MBA (TechMgt) from La
Trobe University.
7
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
“Applying Behavior Engineering to Process Modeling” - David Tuffley
ABSTRACT
The natural language used by people in everyday life to express themselves is often prone to
ambiguity. Examples abound of misunderstandings occurring due to a statement having two or more
possible interpretations. In the software engineering domain, clarity of expression when specifying the
requirements of software systems is one situation where absence of ambiguity is important. Dromey’s
(2006) Behavior Engineering is a formal method that reduces or eliminates ambiguity in software
requirements. This paper seeks an answer to the question: can Dromey’s (2006) Behavior Engineering
reduce or eliminate ambiguity when applied to the development of a Process Reference Model?
BIOGRAPHY
David Tuffley is a Lecturer in the School of ICT at Griffith University, and a Consultant with the
Software Quality Institute since 1999. Before academia, David consulted in the computer industry for
17 years. Beginning in London in the 1980's as a Technical Writer, he progressed to business analysis
and software process improvement work. His commercial work has been in the public and private
sectors in the United Kingdom and Australia. David is currently doing postgraduate research on
developing a process reference model for the leadership of virtual teams.
8
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
KEYNOTE ADDRESS AND PAPER
“Bringing Risk-Based Approaches to Software Development Projects” - Felix Redmill
ABSTRACT
The history of software development is strewn with failed projects and wasted resources. Reasons for
this include, among others:
•
Failure to take an engineering approach, despite using the epithet ‘software engineering’;
•
Focus on process rather than product;
•
Failure to learn lessons and use them as the basis of permanent improvement;
•
Neglect to recognise the need for high-quality project management;
•
Reliance on tools to the exclusion of understanding first principles; and
•
Focus on what is required without consideration of what could go wrong.
If change is to be achieved, and software development is to become an engineering discipline, an
engineering approach must be embraced. This paper does not attempted to spell out the many aspects
of engineering discipline. Rather, it addresses the risk-based way of thinking and acting that typifies
the modern engineering approach, particularly in safety engineering, and it proposes a number of ways
in which a risk-based approach may be incorporated into the structure of software development.
Taking a risk-based approach means attempting to predict what undesirable outcomes could occur in
the future (within a defined context) and taking decisions – and actions – to provide an appropriate
level of confidence that they will not occur. In other words, it uses knowledge of risk to inform
decisions and actions. But, if knowledge of risk is to be used, that knowledge must be gained, which
means acquiring appropriate information.
In safety engineering, such an approach is essential because the occurrence of accidents deemed to be
preventable is not considered acceptable. (As retrospective investigation almost always shows how
accidents could have been prevented, this often gives rise to contention, but that’s another matter.) In
the security field, although a great deal of practice is carried out ad hoc, standards are now based on a
risk-based approach: identifying the threats to a system, determining the system’s vulnerabilities, and
planning to nullify the threats and reduce the vulnerabilities in advance.
However, in much of software development, the typical approach is to arrive at a product only by
following a specification of what is required. Problems are found and fixed rather than anticipated, and
consideration is seldom given to such matters as the required level of confidence in the ‘goodness’ of
any particular system attributes.
A risk-based approach carries the philosophy of predicting and preventing, and this is an asset both in
the development of products and the management of projects. This paper therefore proposes some first
steps in creating a foundation for the development of such an approach in software development and
project management. The next section briefly introduces the subject of risk, and this is followed by
introductions to two techniques, used in risk analysis, which are applicable in all fields and are
therefore useful as general-purpose tools. Subsequent sections offer thoughts on the introduction of a
risk-based approach into the various stages of software development projects.
It is hoped that the explanations offered in this paper are easily understandable, but they do not
comprise a textbook. Risk is a broad and tricky subject, and this paper does not purport to offer a full
education in it.
BIOGRAPHY
Based in London, UK, Felix Redmill is a self-employed consultant, lecturer and writer. His fields of
activity are the related subjects of risk and its management, safety engineering, project management,
software engineering, and the application of risk principles to other fields, such as software testing.
9
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
With a BSc in Electrical Engineering, he started work as a Computer Programmer and, thereafter, had
parallel careers in telecommunications and software engineering, as engineer and manager, for more
than 20 years prior to setting up his own consulting business. In the 1970s he attended Manchester
University on a bursary to do an MSc in Computation, and was seconded to Essex University to carry
out research into the stored program control of telephone exchanges. He has since conducted private
research into several subjects, including risk-based software testing. He gained experience in all
aspects of engineering, including maintenance, managed many system-development projects and, as
head of department, designed and led a number of quality-improvement campaigns.
He was the inaugurating Co-ordinator of the UK_ Safety-Critical Systems Club in 1991, organised
sixteen annual Safety-critical Systems Symposia, and still edits its newsletter, Safety Systems, which
is now in its eighteenth year.
Felix has been an invited lecturer at several universities in the UK and other countries in safety
engineering and management and in various aspects of software engineering and is an Honorary
Professor at Lancaster University. He has published and presented papers and articles on many
subjects, including telecommunications, computing, software engineering, project management,
requirements engineering, Fagan inspection, quality management, risk, safety engineering, the safety
standard IEC 61508, and engineering education. Some papers and articles have been published in
other languages: French, Spanish, Russian, Polish, Arabic, and Japanese. He has also written and
edited a number of books on some of these subjects, and has been invited to give keynote addresses in
the USA, Australia, India, Poland, Germany, as well as the UK.
He is a Chartered Engineer, a Fellow of both the Institution of Engineering and Technology and the
British Computer Society, and a Member of the Institute of Quality Assurance. He is currently active
in promoting professionalism among safety engineers, developing the profession of safety engineering
and helping to define its direction.
“Model-Based Safety Cases Using the HiVe Writer” - Tony Cant
ABSTRACT
A safety case results from a rigorous safety engineering process. It involves reasoned arguments,
based on evidence, for the safety of a given system. The DEF(AUST)5679 standard provides detailed
requirements and guidance for the development of a safety case. DEF(AUST)5679 safety cases
involve a number of highly inter-related documents; tool support is needed to manage the process and
to maintain consistency in the face of change. The HiVe Writer is a tool that supports structured
technical documentation via a centrally-managed datastore so that any documents created within the
tool are constrained to be consistent with this datastore and therefore with each other. This paper
discusses how the HiVe Writer can be used to support safety case development. We consider the
safety case for a fictitious Phased Array Radar Target Illuminator (PARTI) system and show how the
HiVe Writer can support hazard analysis for the PARTI system.
BIOGRAPHY
Tony Cant currently leads the High Assurance Systems (HAS) Cell in DSTO’s Command, Con¬trol,
Communications and Intelligence Division. His work focuses on the development of tools and
techniques for providing assurance that critical systems will meet their requirements. Tony has also
led the development of the newly published Defence Standard DEF(AUST)5679 Issue 2, entitled
“Safety Engineering for Defence Systems”.
Tony obtained a BSc(Hons) in 1974 and PhD in 1979 from the University of Adelaide, as well as a
Grad Dip in Computer Science from the Australian National University (ANU) in 1991. He held
research positions in mathematical physics at the University of St Andrews, Tel Aviv University, the
University of Queensland and the ANU. He also worked in the Common¬wealth Department of
Industry, Technology and Commerce in science policy before joining DSTO in 1990.
10
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
“The Application of Hazard Risk Assessment in Defence Safety Standards” - C.B.H.
Edwards
ABSTRACT
Hazard Risk Assessment (HRA) is a special case of Probabilistic Risk Assessment (PRA) and
provides the theoretical basis for a number of safety standards. Measurement theory suggests that
implicit in this basis are assumptions that require careful consideration if erroneous conclusions about
system safety are to be avoided. These assumptions are discussed and an extension of the HRA
process is proposed. The methodology of this extension is exemplified in recent work by Jarrett and
Lin. Further development of safety standards and the possibility of achieving a harmonization of the
different approaches to assuring system safety are suggested.
BIOGRAPHY
Christopher Edwards is a Senior Systems Safety Analyst. Prior to joining Defence in 1979 Chris was a
member of the CSIRO's Division of Mathematics and Statistics where he worked as a consultant
statistician. Chris has over 15 years experience in the management and development of safety-critical
software intensive systems. Since retiring in 2001 he has been contracted as the Safety Evaluator for a
number of defence systems which have involved the use of Def(Aust)5679 as the safety standard.
Chris is currently the Treasurer of the Australian Safety Critical Systems Association (aSCSa) and sits
on the executive committee of that organisation.
“Integrating safety and security into the system lifecycle” - Bruce Hunter
ABSTRACT
We live in a brave new world where Information Security threats emerge faster than control
mechanisms can be deployed to limit their impact. Information Security is not only an issue for
financial systems but has greater risks for control systems in critical infrastructure, which depend not
only on their continued functionality, but also on the safety of their operation.
This new dimension to the dependability of systems has been recognised by some safety and security
standards but not much has been done to ensure the conflicting requirements and measures of security
and safety are effectively managed.
Conflicts in the implementation of safety and security aspects of systems arise from the differing
values and objectives they are to achieve. Neglecting the relationship between functional, safety and
security issues can lead to systems that are neither functional, safe or secure.
This paper proposes an integrated model to ensure the safety and security requirements are effectively
treated throughout the system lifecycle, along with functional and performance elements, maintaining
ongoing compatibility between their individual objectives.
BIOGRAPHY
Bruce Hunter ([email protected]) is the Quality and Business Improvement Manager
for the Security Solutions & Services and Aerospace divisions of Thales Australia. In this role Bruce
is responsible for product and process assurance as well as the management of its reference system and
its improvement.
Bruce has a background in IT, systems and safety engineering in the fire protection and emergency
shutdown industry and has had over 30 years of experience in the application of systems and software
processes to complex real-time software-based systems.
Bruce is a contributing member of Standards Australia IT6-2 committee, which is currently reviewing
the next edition of the IEC61508 international functional safety standards series. Bruce is also a
Certified Information Security Manager and Certified Information Systems Auditor.
11
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
“What can the agent paradigm offer safety engineering?” - Tim Miller
ABSTRACT
A current trend in safety-critical applications is towards larger, more complex systems. The agent
paradigm is designed to support the development of such complex systems. Despite this, agents are
having minimal impact in safety-critical applications.
In this paper, we investigate how the agent paradigm offers benefits to traditional safety engineer¬ing
processes. We demonstrate that concepts such as roles, goals, and interactions narrow that gap
between engineering and safety analysis, and provide a natural mechanism for managing re-analysis
after change. Specifically, we investigate the use of HAZard and OPerability studies (HAZOP) in
agent-oriented software engineering. This offers a first step towards broadening the scope of systems
that can be analyzed using agent-oriented concepts.
BIOGRAPHY
Tim Miller is a lecturer in the Department of Computer Science and Software Engineering at
University of Melbourne. Tim completed his PhD at the University of Queensland before taking up a
four-year postdoctoral research position at the University of Liverpool, UK, where he worked on the
highly successful PIPS (Personalised Information Platform for Life and Health Services). Tim's
research interests include agent-oriented software engineering, models of multi-agent interaction,
computational modelling & analysis of complex systems, and software testing.
“Complexity & Safety: A Case Study” - George Nikandros
ABSTRACT
Despite correct requirements, competent people, and robust procedures, unsafe faults occasionally
arise. This paper reports on one such incident; one that involves a railway level crossing. Whilst the
direct cause of the failure was defective application contol data, it was a defect that would be difficult
to foresee and if foreseen, to test for.
A sequel to this failure is the sequence of events to correct the defect. In the haste to correct the defect,
another unsafe failure was introduced.
BIOGRAPHY
George is an electrical engineer with some 30 years experience in railway signalling. George is
chairman of the Australian Safety Critical Systems Association. George has published papers, is
accredited as the author of a Standards Australia Handbook “Safety Issues for Software” and a coauthor of the book “New Railway Environment – A multi-disciplinary business concept”. George
represents the Australian Computer Society on the Engineers Australia/ Australian Computer Society
Joint Board in Software Engineering. George is a Chartered Member of Engineers Australia, a Fellow
of the Institution of Railway Signal Engineers, and a Member of the Australian Computer Society.
12
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
SYSTEMS ENGINEERING
AND
SYSTEMS INTEGRATION
13
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
14
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
THE EFFECT OF THE DISCOVERY OF ADDITIONAL
WORK ON THE DYNAMIC PROJECT WORK MODEL
Peter A.D. Brown, Alan C. McLucas, Michael J. Ryan
ABSTRACT
In their paper “Knowledge sharing and trust in collaborative requirements analysis”,
Luis Luna-Reyes et al built on the body of system dynamics knowledge to propose a
model of project work that demonstrates key dynamic elements of IT projects. By
expanding the model to include additional criteria, useful insights into the likely
impact of work required to achieve essential project outcomes – but not identified at
the beginning of a project – can be derived.
Essential new work discovered during the course of a project increases a project’s
scope, requiring re-planning. In addition to the relatively straight-forward scope
increase resulting from undiscovered work, work discovered late in a project usually
requires some of the work already completed satisfactorily – particularly integration
work, testing and sometimes design and fabrication – to be re-done. Where scope
changes resulting from these two impacts are significant, re-approval or even project
termination may result.
Organisations can use insights gained through application of the expanded model to
improve initial project planning and more effectively manage ‘unknowns’ associated
with project scope.
BACKGROUND
Project Work Model
In their paper “Knowledge sharing and trust in collaborative requirements analysis”,
Luis Luna-Reyes, Laura J. Black, Anthony M. Cresswell and Theresa A. Pardo
(Luna-Reyes et al. 2008) built on the body of system dynamics knowledge to propose
a model of system development project work that demonstrates key dynamic elements
of IT projects. Their model is represented in Figure 1 below, modified only to observe
current stock-and-flow diagramming conventions (McLucas 2003), (Sterman 2000),
(Coyle 1996).
The authors’ intend to further develop the model proposed by Luna-Reyes et al to
facilitate a systemic examination of the dynamic structure and characteristics of
projects and their effects on projects’ performance and outcomes. This paper will
examine the effects of discovering additional work after a project starts on that
project’s performance. It is intended to be the first in a series of papers examining
projects’ dynamic behaviour, eventually leading to improved investment decisionmaking.
15
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure1:RepresentationofLunaReyesDynamicProjectWorkModel(LunaReyesetal.2008)
The Luna-Reyes Stock-and-Flow diagram shows that, of an amount of work to be
done, some is done correctly and some is flawed and must be reworked. It also shows
that of the re-work undertaken, a proportion is likely to contain flaws and require reworking yet again.
In addition to a parameter Error Fraction that represents the probability of doing work
incorrectly, Luna-Reyes et al recognise three highly aggregated parameters that
influence the behaviour of the model: Concreteness, Transformability and Learningby-Doing. It is the interaction of these parameters with the other elements of a
project’s structure that causes the changes over time that can be so difficult to manage
effectively and that impact so significantly on project outcomes. An understanding of
these parameters is crucial to the development of a valid model for use in simulating
project dynamic behaviour and performance. An improved appreciation of the
influences of the key parameters may be gained from the influence diagram in
Figure 2 below.
Figure2:Influencediagram–DynamicProjectWorkModelbasedonworkbyLunaReyesetal
16
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Concreteness
In their paper, Luna-Reyes et al examine the efficacy of requirements identification
and definition in a collaborative project environment. In doing so, they define
Concreteness as the ‘specificity’ of representations elicited during cross-boundary or
trans system interface work on requirements discovery. However, in the more general
context of dynamic project work modelling, Concreteness could be better interpreted
as those representations that depict the extent to which the mechanisms and
interrelationships influencing a system are understood in terms of their potential to
contribute to or impede achievement of desired outcomes. In other words,
Concreteness is a picture of how visible key stakeholders’ wants and needs are to the
organisation or organisations developing a specific system or solution, how far apart
those various needs are and what constraints (dependent and independent, exogenous
and endogenous) help make up the specific development environment.
Factors influencing concreteness may include, inter alia:
x the maturity and worldliness of stakeholder organisations;
x how clearly each stakeholder organisation understands their own and other
stakeholders’ needs and desired project outcomes;
x the validity and completeness of, and the disparity between, organisations’
mental models of the system development environment and desired project
outcomes; and
x the specificity and tangibility of such understanding to organisations’ abilities
to convert ‘understanding’ to ‘achievement’.
In the model, ‘Concreteness’ is applied directly to the Rate of Doing New Work
Correctly, the Rate of Doing New Work Incorrectly and the Rate of Discovering
Rework.
Transformability
Luna-Reyes et al define ‘Transformability’ as the likelihood that an organisation or
actor is able to recognise deficiencies in concreteness representations and define and
successfully apply the corrective actions needed (Luna-Reyes et al. 2008). In a more
general sense, Transformability is the ability to recognise deficiencies in requirements
and take action to correct them.
Ǯ”ƒ•ˆ‘”ƒ„‹Ž‹–›ǯ‹•ƒ’’Ž‹‡†–‘–Š‡ƒ–‡‘ˆ‘‹‰‡™‘”…‘””‡…–Ž›ƒ†–Š‡ƒ–‡
‘ˆ‘‹‰‡™‘”…‘””‡…–Ž›Ǣ‹–‹•‘–ƒ’’Ž‹‡†–‘–Š‡—†‡”–ƒ‹‰‘ˆǮ‡™ǯ™‘”Ǥ
Learning by doing
‘Learning-by-Doing’ is a parameter that represents the level of knowledge of
stakeholders’ needs and desired outcomes, including knowledge of effective ways of
achieving those outcomes. Learning-by-Doing as an output parameter only,
influenced by the Rate of Doing New Work Correctly, the Rate of Doing Rework
Correctly and the Rate of Discovering Rework.
17
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Error Fraction
As indicated above, Error Fraction is the probability that the outcome of work
attempted will be incorrect or faulty, and it relates to how difficult specific work is to
the organisation or organisations undertaking that work. Error Fraction applies to all
rates in the model except the Rate of Discovering Rework.
Parameter definitions
Currently, apart from the context-constrained definitions of the key model parameters
offered by Luna-Reyes et al, there is little other than empirical evidence and logical
thinking to support several of the definitions above. For now it seems appropriate to
define the parameters and their relationships with each other using a ‘black box’
approach. In doing so, key parameters can be defined in terms of their inputs and
outputs, what elements of the model they influence and to what extent they do so. The
authors offer the modified definitions of ‘Concreteness’ ‘Transformability’ and
‘Learning-by-Doing’ hypothesised above more in response to a need for these
definitions to effectively model projects than to any mathematical proof or agreed
definition of the terms.
It should be noted that the key parameters (especially ‘Transformability’ and
‘Concreteness’) are likely to influence the various rates in the model in different ways
and to different extents. A parameter may have a negligible influence on some rates
for some projects and a massive influence on others. Furthermore, a parameter might
only influence a subset of the domain of causes of a rate’s variations, not the whole
domain. The nature of the key parameters ‘Concreteness’, ‘Transformability’ and
‘Learning-by-Doing’ and their relationships with other project parameters requires
further research and will be addressed in future papers.
How the basic model works
In the basic model at Figure 1, work is done for as long as the stock KNOWN NEW
WORK remains greater than zero. New work is undertaken at a certain rate which
may vary over time, and will result either in work done correctly at a rate influenced
by the rate factor ‘(1-Error Fraction)’, accumulating in the stock WORK DONE
CORRECTLY, or work done incorrectly at a rate influenced by the rate factor ‘Error
Fraction’, accumulating in the stock UNDISCOVERED REWORK. The need for
rework is discovered gradually, and work transfers from UNDISCOVERED
REWORK to KNOWN REWORK at the rate the need for rework is discovered. The
discovery of rework is influenced by Concreteness. The better requirements are
understood, the more likely and more quickly deficiencies will be recognised. Known
Rework is then processed, influenced by the Error Fraction and Transformability and
flows either to WORK DONE CORRECTLY or back to UNDISCOVERED
REWORK.
It is important to note that in an actual project, stakeholders do not have visibility of
accumulating UNDISCOVERED REWORK, believing instead that this work has
accumulated as WORK DONE CORRECTLY. Stakeholders only recognise the
requirement for rework as requirements thought to be met are found not to be. In the
model, recognition causes flawed work to flow from UNDISCOVERED REWORK
to KNOWN REWORK at the rate the need for rework is discovered, but in real life,
18
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
stakeholders are likely to visualize rework flowing from WORK DONE
CORRECTLY to KNOWN REWORK.
Issues with the basic model
Most project management methodologies in use today place heavy emphasis on
adequately defining requirements prior to solution development and implementation.
While this optimal outcome is possible in some circumstances where a project’s field
of endeavour is well travelled and relatively straightforward, it is rarely the case for
complex projects. This is particularly so for ‘green field’ endeavours where the
system being developed will be the initial system and developers must do without a
bottom-up view of the business needs. It may also be the case in circumstances where
businesses’ strategic, operational and working level plans require substantial
development or re-development. Likewise, in cases when substantial organisational
change will be required to fully utilise the capability a solution provides, it may not be
possible to develop a mature set of requirements prior to the commencement of
system development. These realities have been demonstrated on many occasions and
are the reason that more complex system life cycle models such as evolutionary
acquisition and spiral development were conceived and are in extensive use today.
Given that requirements often cannot be comprehensively and accurately established
prior to complex system design, development and in some cases, construction and
implementation, it should be recognised that requirements must continue to be
elaborated as projects proceed. Consequently, new work will nearly always be
discovered over the life of a project, including after the time requirements
development activities were scheduled to be complete. Therefore – referring to the
model – KNOWN NEW WORK will not always be the known quantity it ideally
should be, but will continue to vary over the life of a project every time new work is
discovered.
Adapting the Model
If we are to examine the effects of additional work discovered after a project has
commenced, the basic Luna-Reyes model must be modified by the addition of
elements representing the discovery of new work. An influence diagram for the
modified model is shown in Figure 3 below.
19
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure3:Influencediagramaccountingfordiscoveryofnewworkafterprojectcommencement
The new model shows that as additional new work is discovered over the duration of
a project, the value of KNOWN NEW WORK increases. Additionally, the discovery
of new work will often require some of the work already done correctly (WORK
DONE CORRECTLY) to be redone, increasing the project’s rework (KNOWN
REWORK) as a result. Even more distressingly, the discovery of new work after a
project has commenced sometimes makes work already completed and accepted
redundant. A stock-and-flow representation of the adapted model is shown below in
Figure 4.
Figure4:StockandFlowDiagramDynamicProjectWorkModelmodifiedtoaccountfornewwork
afterprojectcommencement
Because ‘Learning by Doing’ is an output parameter and it is not of central interest to
this discussion, it can be removed from the model for the purposes of this study
without affecting the validity of simulation results.
20
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Perfect Project
In order to establish a project performance baseline against which other variations and
enhancements may be compared, the key parameters ‘Concreteness’,
‘Transformability’ and ‘Error Fraction’ are given values that will equate to a ‘perfect’
project. Also, in a perfect project, no additional work would be discovered. To
achieve this, the value for Error Fraction was set and maintained at zero to represent
no errors and the values for Transformability and Concreteness were set and
maintained at 100%. For the perfect project, the value of additional work discovered
was also set to zero.
As a result of these changes, it is possible to simplify the model further for this special
case only (see Figure 5 below).
Figure5:InfluenceDiagramof'perfect'DynamicProjectWorkModel
The stock-and-flow diagram for this ‘perfect’ model is shown below in Figure 6. It is
the same as that in Figure 4 but because there are no errors, no undiscovered new
work and ‘Transformability’ and ‘Concreteness’ have values of 1, only the top part of
the basic model is used.
Figure6:StockandFlowDiagramof'Perfect'DynamicProjectWorkModel
21
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
MODEL BEHAVIOUR
Assumptions and constraints
When examining a model’s behaviour, it is first necessary to understand the
assumptions and constraints built into it. Firstly, major projects are usually developed
in phases and stages. This model examines one phase/stage only and does not
consider inter-stage influences in the analysis of project performance.
The discovery of new work is assumed to occur in very small increments and is
treated as continuous for the purposes of this study. In real life, discovery of
additional work is likely to occur in discrete parcels; further research on the way new
work is discovered after a project has begun is required and will be addressed in
future papers.
In the model, for this study, the rates at which new work is undertaken (correctly and
incorrectly), the rate at which rework is discovered and the rate at which rework is
undertaken (correctly and incorrectly) are held constant. In real life (and in future
research), rates will vary over the life of a project.
The parameter values used in this model were selected as reasonable values to start
with based on the authors’ experience. They will be subject to more rigorous research
and analysis in the near future.
In setting parameter values, it was assumed that the amount of additional work
discovered after a project has commenced (UNDISCOVERED NEW WORK) is
related to the complexity of the system being developed and the environment it is
being developed in. Therefore a parameter representing an aggregation of influences
loosely titled ‘complexity’ was adopted and expressed as a fraction of the project’s
initially known new work. It was also recognised that the position on a project’s time
line when additional work was discovered (represented in the model as the Rate New
Work Discovered) might be just as relevant to project performance as the amount of
additional work discovered. For consistency, the rate new work is discovered was
based on the rate at which KNOWN NEW WORK is processed. Finally, the rates at
which new work discovered caused work already completed and accepted (WORK
DONE CORRECTLY) to be reworked or to become redundant was set to a fraction
of the rate of discovery of the additional work (Rate New Work Discovered).
Project performance baseline
Initially, the model was set up as a ‘perfect’ project comprising 2000 tasks with zero
errors, Concreteness and Transformability set at 100% and no additional work
discovered. The duration for the ‘perfect’ project was 200 days.
The effect of additional work on project performance
Based on the assumptions and constraints above, three test cases each containing three
scenarios were constructed.
22
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Table1:DPWMmodellingcases
Test
Case
Scenario
Rate of Discovery of Additional Work
Complexity
No additional work
Not applicable
a
Slow Discovery Rate = 0.1 * rate of
doing new work
Simple (5% of Initial Known New
Work)
b
Slow Discovery Rate = 0.1 * rate of
doing new work
Complex (25% of Initial Known New
Work)
c
Slow Discovery Rate = 0.1 * rate of
doing new work
Very Complex (50% of Initial
Known New Work)
a
Medium Discovery Rate = 1 * rate of
doing new work
Simple (5% of Initial Known New
Work)
b
Medium Discovery Rate = 1 * rate of
doing new work
Complex (25% of Initial Known New
Work)
c
Medium Discovery Rate = 1 * rate of
doing new work
Very Complex (50% of Initial
Known New Work)
a
Fast Discovery Rate = 2 * rate of doing
new work
Simple (5% of Initial Known New
Work)
b
Fast Discovery Rate = 2 * rate of doing
new work
Complex (25% of Initial Known New
Work)
c
Fast Discovery Rate = 2 * rate of doing
new work
Very Complex (50% of Initial
Known New Work)
0
1
2
3
A plot of the test case results is shown in Figure 7 below.
23
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
ƒ•‡Ž‹‡
Figure7:Effectofadditionalworkonprojectperformance1
The model was designed to simulate work already completed and accepted that
required rework or was made redundant as a result of the discovery of additional
work. Arbitrary values of 10% of the rate at which new work discovered made work
already completed redundant and 20% for the rate at which completed work had to be
reworked were selected. The values for total redundant and reworked tasks are shown
in Table 2 below.
Table2:Workmaderedundantorrequiringreworkduetodiscoveryofnewwork
Complexity
Completed
work
(% of Initial redundant (Tasks)
Known Work)
made Completed work
rework (Tasks)
5%
10
20
24%
50
100
50%
100
200
requiring
Discussion
Predictably, the plot shows that the addition of new work will extend project duration
for all test cases. It also shows that for the slower rate of discovery and more complex
ͳŠ‡†‹•’Žƒ›ˆ‘”–Š‡ƒ•–†‹•…‘˜‡”›”ƒ–‡‘˜‡”Ž‹‡•–Šƒ–ˆ‘”‡†‹—
24
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
projects, duration may be extended because not all the new work is discovered before
the known new work is completed. In reality, that situation would not normally arise,
but there have been instances of projects that haven’t stopped due to the continued
addition of new work.
The absolute values for work made redundant or requiring re-work due to the
discovery of additional work are relatively small; however, if you consider the data in
the context that a project was approved on the basis that it would take 200 days to
complete and that due to additional work, that duration increased to 300 days of
which more than 20 days work had to be re-done and over 10 days work could not be
used, the impact becomes significant.
The significance of the discovery of additional work will vary from project to project
depending on what effort and resources are required to undertake the work, how those
resources are allocated and how large an impact the additional work has on work
already completed. It is generally appreciated, though, that the later in a project
changes are introduced, the greater the impact they are likely to have on work already
completed and overall project cost.
Conclusions
This paper builds on the body of systems dynamic and project management work in
proposing an improved model for examining the dynamic behaviour of projects in
relation to performance and outcomes. Even in its current basic form, the model
provides useful insights into the ways the discovery of additional work over a
project’s life affects project performance.
It is not always possible, particularly for complex projects, to comprehensively map
and define project requirements prior to system design and development. From
experience and the preliminary modelling results outlined in this paper, it is likely that
a project’s performance will be sensitive to the discovery of additional work after
commencement, causing not only significant schedule and cost over-runs but also
unanticipated rework and sometimes even a portion of work completed to become
nugatory and be discarded.
Future work
Further research into the nature of new work, how it is discovered and how sensitive
project duration is to the time it takes to replan, accommodate and deal with
additional work is required, as is improved definition of key dynamic project
parameters including Error Fraction, Concreteness, Transformability and Learningby-Doing followed by analysis of their influence on project performance and
outcomes. Future research will build on the modest start described in this paper,
resulting (it is hoped) in a more effective means of managing dynamic project and
program risk.
25
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Bibliography
„†‡ŽǦƒ‹†ǡǡƒ†–—ƒ”–ƒ†‹…ǤSoftwareProjectDynamicsAnIntegrated
Approach.’’‡”ƒ††Ž‡‹˜‡”ǡ‡™‡”•‡›ǣ”‡–‹…‡ƒŽŽǡͳͻͻͳǤ
‘›Ž‡ǡǤ
ǤSystemDynamicsModellingAPracticalApproach.‘ŽǤͳǤͳ˜‘Ž•Ǥ
‘†‘ǣŠƒ’ƒƬƒŽŽȀǡͳͻͻ͸Ǥ
—ƒǦ‡›‡•ǡ—‹•Ǥǡƒ—”ƒǤŽƒ…ǡ–Š‘›Ǥ”‡••™‡ŽŽǡƒ†Š‡”‡•ƒǤƒ”†‘Ǥ
Dz‘™Ž‡†‰‡•Šƒ”‹‰ƒ†–”—•–‹…‘ŽŽƒ„‘”ƒ–‹˜‡”‡“—‹”‡‡–•ƒƒŽ›•‹•ǤdzSystem
DynamicsReviewȋ‘Š‹Ž‡›Ƭ‘•–†ȌʹͶǡ‘Ǥ͵ȋƒŽŽȌȋ‘˜‡„‡”ʹͲͲͺȌǣʹ͸ͷǦ
ʹͻ͹Ǥ
…—…ƒ•ǡŽƒǤDecisionMaking:RiskManagement,SystemsThinkingand
SituationAwareness.ƒ„‡””ƒǡǣ”‰‘•”‡••ǡʹͲͲ͵Ǥ
–‡”ƒǡ‘ŠǤBusinessDynamics:SystemsThinkingandModellingfora
ComplexWorld.‘•–‘ǡƒ••ƒ…Š—•‡––•ǣ”™‹…
”ƒ™‹ŽŽǡʹͲͲͲǤ
‘Ž•–‡Š‘Ž‡ǡ”‹…ǤSystemEnquireyASystemDynamicsApproach.
Š‹…Š‡•–‡”ǡ‡•–—••‡šǣ‘Š‹Ž‡›Ƭ‘•–†ǡͳͻͻͲǤ
26
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Lessons Learned from the
Systems Engineering Microcosm Sandpit
Quoc Do, Peter Campbell, Shraga
Shoval, Matthew J. Berryman,
Stephen Cook,
Todd Mansell and Phillip Relf
Defence Science and Technology
Organisation,
Edinburgh, South Australia.
Ph. +61 8 8259 7566
Email: todd.mansel, phillip.relf
{@dsto.defence.gov.au}
Defence and Systems Institute,
University of South Australia,
Mawson Lakes Campus, SA
Ph. +61 8 8302 3551
Email: quoc.do, peter.campbell,
shraga.shoval, matthew.berryman,
stephen.cook {@unisa.edu.au}
Abstract
Lessons learned can be highly valuable to engineering projects. They provide a means for
systems engineers to thoroughly investigate and anticipate potential project risks before
starting the project. Up-front analysis of the end-to-end process pays on-going dividends.
This paper describes: 1) an evolutionary Microcosm for investigating systems integration
issues, fostering model-based systems engineering research, and accelerating systems
engineering education; 2) the lessons learned during the first stage of the Microcosm
development; 3) how these lessons learned have informed the design and implementation of
the Microcosm Stage Two. Interestingly, the lessons learned from the Microcosm Stage One
reflect many of the common lessons learned found in much larger industry projects. This
demonstrates the Microcosm Sandpit’s capability in replicating a wide range of systems
development issues common to complex systems. Thus it provides an ideal environment for
systems engineering education, training and research.
INTRODUCTION
The Microcosm program was established by the University of South Australia, and the
Defence Science and Technology Organisation in 2006, to foster research, training and
education in systems engineering, with a particular focus on conducting research into better
understanding of how to manage the issues of system integration that arise in the
development of large system of systems projects. These issues are described succinctly in
(Norman and Kuras, 2006), for example, and are understood to arise from multiple causes.
One of the most important sources of systems integration difficulty is caused by the need to
assemble these systems from a number of different systems that have often been designed and
built for different purposes, by different manufacturers, and to operate in different
environments from those expected in the new system of systems. The Microcosm program
has been deliberately designed to mimic this situation on a small scale, in order that the same
type of issues will occur and research and teaching of these issues can be carried out in a
small and manageable environment.
27
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
The Microcosm program is executed in multiple stages that adopt the Spiral Development
Model. Stage One of the Microcosm development project has been completed, with the
identification of over 30 lessons learned, which have strong parallels with those that arise in
real projects. This first stage was carried out with the following inadequate planning and
management characteristics that are often reflected in real projects:
a.
b.
c.
d.
Unclear and shifting requirements,
A tight schedule and very tight funding,
Inadequate systems engineering and project management planning,
Development based on components supplied by a number of different
manufacturers, causing numerous interface issues, and
e. Inadequate understanding of the possible environmental effects on the system’s
performance.
Both governments and industries have recognized the need to document and apply the
knowledge gained from past experience to support current and future projects in order to
avoid the repetition of past failures and mishaps and the promotion of successful practices.
Traditionally lessons learned are associated with failures, and involving the loss of valuable
resources. However, project successes can and should also be recorded as lessons learned.
These lessons are generally stored and maintained in a database and regarded as a valuable
resource for rectifying causes of failure, or informing decision makings that are likely to
improve future performance.
One of the valuable systems engineering products generated from the Microcosm Stage One
is a lessons learned database. Many lessons learned databases that have been built in the past
have ended up in total neglect within a short time because they did not provide potential
future users with easy access or the cues to promote their use. The Microcosm lessons learned
database is intended to be an interactive living database to provide continuous support to the
project into improved practices of systems engineering, and address systems integration
issues as well as the use of Microcosm systems engineering process products for education
purposes. This paper gives a brief description of stage one of the Microcosm project, and then
discusses the lessons learned during its development, how they have informed the execution
of the second stage of the project and the database design to make them available on the
project Wiki.
MICROCOSM PROGRAM
The Microcosm program is aimed at developing an evolutionary facility, namely the
Microcosm Sandpit, which will expand in capability to meet the wider and longer-term
requirements of its stakeholders by adopting the Spiral development model as described in
(Buede, 2000). It is essentially an open-ended project with multiple stages, where each stage
will enhance existing capabilities as well as develop new capabilities to meet the growing
needs of stakeholders. It resembles the evolutionary nature of military systems upgrades on a
much smaller scale. This is a challenge for the traditional systems engineering paradigm,
since the systems engineering process is usually taught and largely practiced using a linear
system development process (ie., the Waterfall model), unsuited to deal with evolving
systems.
28
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
The Microcosm Sandpit provides a flexible means to explore systems engineering practices
within a facility that utilises real and simulated autonomous systems operating and interacting
with humans, the physical and the simulated environments. The evolving Microcosm Sandpit
fosters systems engineering practices in both research and teaching environments.
Essentially, it provides a systems engineering and systems integration environment to be used
by stakeholders to stage demonstrations, conduct experiments, train staff, and to evaluate
systems configuration and operation. The Microcosm programme has six defined use-cases:
Simulation/Stimulation: Investigation of the interactions between a mixture of models
and physical hardware in real-time and simulated scenarios, including hardware in the
loop, simulation architectures and plug-and-play hardware and software.
Human Agent-Based Modelling for Systems Engineering: Development of human
operational models and interfaces in scenarios based on teaming agents, human
replacement agents, socio-technical models, and research into the insertion of data
and image files into an OPNET Modeller.
Modelling, Simulation and Performance Analysis: Development of object oriented
modelling of system devices, and statistical modelling of captured real-life data.
Autonomous Vehicles Research: Investigation of swarming robots, cooperative robots,
dynamic task allocation, robustness and reliability, and combined communication and
localisation.
Systems Engineering Approach to Evolving Model Development: Investigation of
SE–lifecycle models, evolving agents, platforms and environments, and the transition
from low to high fidelity models.
Systems Enhancement Research: System analysis, system parameterisation,
optimisation, algorithm development, kit development, and research into HumanComputer Interfaces (HCI).
Microcosm Stage One Architecture
The Microcosm programme high-level architecture has three distinct parts (Mansell et al.,
2008): the Microcosm Information Management System (MIMS), the Modelling and
Simulation Control System (MASCS), and the Microcosm Physical System (MPS),
illustrated in Figure 1. The MIMS is an integrated information management system that
stores all the systems engineering products associated with the project through each spiraldevelopment cycle. The MASCS is a simulation and control subsystem that contains
synthetic models of Microcosm’s components including environment models, simulated
autonomous vehicles, and a suit of onboard and off-board sensors models. In addition, the
system provides the capability for hardware-in-the-loop (HIL) simulation through the use of a
common interface between simulated and physical components that provides seamless
interactions between these components in a given operational scenario. Finally, the MPS
consists of all the physical components of the Microcosm facility, including the autonomous
robotic vehicles, external sensors and external environments.
Microcosm Stage One Implementation
The Microcosm Stage One operational scenario consists of two unmanned ground vehicles
(Pioneer 3DXs), and a fixed global external sensor: SICK LMS 291 laser sensor as shown in
29
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure 2(a). Each mobile robot has an on-board laptop, vision sensor, ultrasonic sensor, laser
sensor and wheel encoders. The global sensors are used for intruder detection (i.e. a person),
which send notification to the two mobile robots to intercept, assess, perform threat
mitigation or neutralize the intruder. In addition to the physical components, synthetic models
have been developed for the P3DXs, laser sensors, ultrasonic sensor, vision sensors, and the
operating environment. This provides the flexibility to run scenarios using only physical
systems, synthetic models alone or a combination of real components and synthetic models.
Also it provides a powerful environment to explore systems integration issues, and modelbased systems engineering research.
Figure 1. The high level architecture of the Microcosm Sandpit.
The Microcosm Sandpit Stage One system implementation has been successfully completed
and evaluated (Do et al., 2009) using a service oriented architecture (SOA). The SOA is
based on the Decentralised Software Service (DSS) (Nielsen and Chrysanthakopoulos, 2008)
and the Concurrent Control Runtime (CCR) library (Morgan, 2008) from Microsoft and is
illustrated in Figure 2(b). The CCR is a managed library that provides classes and methods
for concurrency, coordination and error handling. It enables segments of codes to operate
independently, pass messages and execute in parallel. The DSS, on the other hand, extends
the CCR capability across processes and machines. Both CCR and DSS are provided within
the Microsoft Robotic Development Studio (MRDS) (Johns and Taylor, 2008).
(a)
(b)
Figure 2. (a) Operational view (OV1) of the Microcosm Stage One scenario.
(b) Service-oriented architecture for the Microcosm Stage One implementation.
30
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Another important aspect of the Microcosm Sandpit development is that the simulation
environment is implemented using the simulation capability of the Microsoft Robotic
Development Studio (MRDS). It uses the AGEIA PhysX physics engine to simulate physical
interactions within the virtual environment, such as friction, gravity and collision (Johns and
Taylor, 2008). The Microcosm Sandpit physical environment and the robots are modelled to
scale in the simulation, and sensor accuracy is modelled with a modest level of fidelity. The
modelled environment is shown in Figure 3. The synthetic robots are configured to replicate
the motions of their real counterparts in the real environment, performing the operational
scenario depicted in Figure 2 (a). A synthetic intruder is also modelled and its motion is
emulated based on the intruder’s position calculated by the ground-based laser sensor in the
physical environment. Intruder and robots’ motion data are supplied to the simulation
environment by the Master-Runtime Control.
Figure 3. Aerial view of the synthetic environment of the Microcosm Sandpit.
The operation of the stage one operation scenario is based on centralised control architecture,
as depicted in Figure 2(b). The Master Runtime Control is responsible for intruder detection,
sensor fusion, creating and maintaining an operational picture, and requesting positional
update from the robots. It also instructs the Simulation Orchestrator to emulate the robots and
intruder motions.
Upon intruder detection, the robots receive the intruder’s position from the Master-Runtime
Control. Robot Two pivots and tracks the intruder using the onboard camera, while Robot
One performs its own path planning to follow and intercept the intruder using a finite state
machine (Cook et al., 2009). After the initialisation state Robot One transits automatically
into the Standby state. Upon intruder detection it progresses to the Follow-Intruder state, in
which it performs path planning and follows the intruder. While in the Follow-Intruder state,
if an obstacle appears in the way (detected by the onboard laser sensor), Robot One transits to
the Obstacle-Avoidance state, and resumes the previous state when the obstacle is cleared.
When the robot is within a metre of the intruder, it enters Intruder Engagement state and
announces successful interception to the intruder. A voice message is also transmitted on
each state transition to enable observers to assess progress through the scenario. Should the
intruder leave the guarded area, the robot enters the Return-To-Base state.
31
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
MICROCOSMS LESSONS LEARNED
Lessons learned databases are a collection of analysed data from a variety of current and
historical events. Traditionally these events are associated with failures, and involving the
loss of valuable resources. Lessons learned databases provide a resource that can be used to
rectify the causes of failure, or choose pathways that are likely to improve future
performance. Many large civilian and military organizations around the world manage a
database that includes a description of the driving events (failures or success), the lesson(s)
learned from these events and recommendations for future actions. In this section we describe
some events that are included in the lessons learned database of the Microcosm program.
Although the Microcosm database is driven by relatively simple events, the database has
similar outcomes and recommendations to the traditional lessons learned databases found in
larger systems engineering/integration organisations. Furthermore, the unique configuration
of Microcosm offers an environment in which systems engineering practices are developed
and extended in a forgiving environment, and provides a large variety of driving events with
little risk of loss of resources.
The following table gives examples of lessons learned in categories that are maintained in our
lessons learned database. For each entry the nature of the issue and what we learned as a
consequence of this issue’s manifestation has been summarised in the third and fourth
columns respectively.
Table.1: Samples of the lessons learned from the Microcosm Stage One.
Id
MLL01
Issue Type
Equipment
Operation
Issue Description
EMI issue with the flex compass being
interfered with by the robot’s
electrically powered motors.
MLL02
Environment
MLL03
Integration
MLL04
Interfaces
MLL05
Computer
Hardware
Robot’s localisation system was
unable to cope with measurement
inconsistencies, introduced by the
environmental conditions i.e., uneven
floor surfaces.
COTS equipment manufacturer’s
interface documentation was
incomplete and ambiguous.
Team members were developing their
common software interfaces but
assumed incompatible units of
measurement and dissimilar
coordinate systems for various data
fields.
Processing power, while adequate for
a single application, was found to be
inadequate when the same CPU was
required to support multiple
applications.
MLL06
Configuration
Management
System data was stored in a common
folder on a server but system baselines
were not clearly defined. It was
difficult to identify working modules
32
What Was Learned?
EMI issues are difficult to predict during
the design stage and can also be
intermittent in their manifestation.
Hardware prototyping and extensive
system testing is required to ensure that
EMI issues are identified early.
Information redundancy, supported by
multiple different sensor types, is required
to compensate for sensor errors realised
within an imperfect environment.
Interface testing is necessary to prove that
the COTS equipment communicates as
expected before system test is conducted.
An interface specification is required to
effectively define the system component
interfaces. Each affected team member is
hence required to ‘sign up to’ this
interface specification.
Before loading an application set on a
computing platform a processor
performance model should be developed
to confirm that adequate computing
resources are available over all system
operational scenarios.
System baselines need to be defined and
the relevant ‘snap shot’ of the system kept
unmodified in a known directory structure
to ensure that development to the next
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Id
Issue Type
Issue Description
for each baseline and differentiate
completed modules from work-inprogress ones.
Due to a software issue, the robot
went ‘rouge’ during a test, which
could have resulted in damage to the
robot, before manual action was
forthcoming to secure the robot’s
motion.
See MLL07
MLL07
Safety
MLL08
Emergency
Procedures
MLL09
Project
Management
Our initial effort estimates gave a
value of 1.1 person years. However,
the actual expenditure was 1.5 person
years.
MLL10
Technology
adoption/inse
rtion
MLL11
Lesson
Learned
Capture
The self-localisation of the robot was
based on only odometry with no
correctional global positioning. It was
found that the odometry suffers from
accumulative errors that lead the robot
to a “lost state” within a short-period
of time.
Lessons learned were captured at the
end. It was found that many of the
same issues were independently
discovered by multiple team members,
which could have been avoided in the
subsequent cases, given early access
to populating the Microcosm Stage
One lessons learned database
What Was Learned?
system baseline progresses from a known
state.
A readily accessible and simple method of
halting the robot’s motion (i.e., kill
switch) should be provided as part of the
system functionality.
A procedure and deployment of this
procedure (i.e., staff training) was found
to be necessary to address potential safety
issues.
Our systems engineering process was not
robust enough to mitigate against the
rework required to recover from various
issues, see this table for examples. Our
systems engineering process will now be
evaluated and process improvement
considered as appropriate.
Model-based systems engineering should
be used to inform the feasibility of the
intended methodology and technology
prior to their insertion.
Lesson learned should be recorded
immediately after they occurred to avoid
duplicated failures. This requires the
lessons learned database to have online
access, and have email notification of new
entry to all team members.
IMPACTS OF LESSONS LEARNED ON THE MICROCOSM STAGE TWO
Lessons learned can be regarded as a critical source of information for risk mitigation and
optimal project planning. However, their effective use and maintenance still remain as a
challenge to the engineering community. One of the aims of the Microcosm program is to
investigate methods for the effective use of the lessons learned to inform the design and
implementation of future stages of the Microcosm project, and also their use in systems
engineering education.
The captured lessons learned from the Microcosm Stage One have informed the execution of
the Microcosm Stage Two work in two different aspects: engineering implementation and
systems engineering process. The former has occurred in the system design and
implementation phases, where stronger emphasis on understanding and designing to the
interface issues between different system components is being addressed as the result of the
lesson learned id-MLL03 and id-MLL04 in Table.1. In particular, the following areas are
considered: communication protocol, deterministic response, Quality of Service (QoS), type
of messages/data being passed between services, data update rates of each sensors and
33
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
services, all embedded in a hardware-software system deployment architecture framework
design.
Similarly, the system design process is being informed by the lesson learned id-MLL10, in
Table.1 where preliminary system components’ capability is being investigated by creating
statistical models of the components, to ascertain whether the intended technology will meet
our system’s requirements, irrespective of what was stated in the various product
specifications. For instance, an Ultra-wide Band (UWB) positioning system was considered
to be used for providing indoor analogue to GPS to update of the robots’ positions. A modelbased systems engineering approached was adopted to inform the system design with an
outcome that indicates that UWB positioning system alone will not be sufficient in providing
global positioning update for the robots due to large positional errors. This led to an insertion
of an additional requirement to procure an extra SICK LMS-291 laser sensor. Note that this
was identified before the project start instead of toward the end of the project, as might
otherwise have happened.
Furthermore, the tailored systems engineering processes for the Microcosm Stage Two has
been informed by the lessons learned recorded in Table.1. For instance, with reference to the
lesson learned, id-MLL09, our estimate of the total effort required was 1.09 person effort was
out by 36%, due extensively to the allocation of time for the test and evaluation phase. This
lesson has informed the time allocation for the systems integration test and evaluation phase
of the Microcosm Stage Two, increasing it from 5% to 20% of the over project schedule. This
is believed to be the general expectation in industry settings and hence rework has potentially
been mitigated as a consequence of the lesson-learned id-MLL10.
PROPOSED RESEARCH INTO THE USABILITY OF A LESSONS LEARNED
DATABASE
In order to make use of the captured lessons learned it is important to have the right software
infrastructure in place and the right methodology/ environment for using it. The wiki software
being used will allow lessons learned to be linked to relevant architectures and design
patterns (which can also be stored in the wiki), and the impacts of changes in these can be
captured and stored in the wiki’s history. Having the right processes will include things like
making sure people are using the wiki, the use of email to notify wiki updates with timecritical lessons learned, deciding on the right course of action as a result of the lesson learned,
and implementing these changes.
Learning can take place at a number of levels (Grisogono and Spaans, 2008). In the context
of Microcosm, level 1 learning would be tuning existing systems engineering processes as a
result of lessons learns. Level 2 learning includes improving the processes used to support
level 1learning. This includes modifications to the structure of the wiki and processes for
learning, along with expanding and modifying the set of engineering processes used in
Microcosm. Level 3 learning is learning about level 2 learning – capturing lessons learned
regarding the use of the wiki database and the processes adopted for acquiring the lessons
learned. The Microcosm wiki could capture level 3 learning by research into usability of the
lessons learned database. Level 4 learning is about aligning how the lessons learned are used
with measures of real world performance of the Microcosm. For example, if a different way
of communicating architectural changes is used, does this reflect in better software
performance? Level 5 learning is about how lessons learned are used in a co-operative
34
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
setting. To be most effective at learning, all five levels have to be implemented. Therefore,
the Microcosm lessons learned research program focuses on how well each of the five levels
of learning can be achieved through the use of the Microcosm wiki and other processes.
CONCLUSIONS
This paper has discussed the usefulness of capturing lessons learned from the Microcosm
Stage One and illustrated how these lessons learned have informed the design and
implementation, and the tailored systems engineering processes of the Microcosm Stage
Two. The captured lessons learned were from a small-scale project but reflect many of the
same lessons learned reported in large-scale projects. This has demonstrated the Microcosm
Sandpit’s merits in generating systems engineering products that could be used in systems
engineering education, training and research. The captured lessons learned are stored on the
project Wiki that will be equipped with interactive mechanisms for autonomously engaging
and proving insightfully information at various stages of the Microcosm program as part of its
model-based systems engineering research theme.
REFERENCES
Buede, D. M. 2000. The Engineering Design of Systems, Wiley Publishing Inc.
Cook, S., T. Mansell, Q. Do, P. Campbell, P. Relf, S. Shoval and S. Russell, 2009.
Infrastructure to Support Teaching and Research in the Systems Engineering of
Evolving Systems. 7th Annual Conference on Systems Engineering Research 2009
(CSER 2009), accepted for publication, Loughborough, UK.
Do, Q., T. Mansell, P. Campbell and S. Cook, 2009. A Simulation Architecture For Modelbased Systems Engineering and Education. SimTect 2009, accepted for publication,
Adelaide, Australia.
Grisogono, A.-M. and M. Spaans, 2008. Adaptive Use of Networks to Generate an Adaptive
Task Force. 13th ICCRTS: C2 for Complex Endeavors.
Johns, K. and T. Taylor 2008. Professional Microsoft Robotics Developer Studio Wiley
Publishing Inc.
Mansell, T., P. Relf, S. Cook, P. Campbell, S. Shoval, Q. Do and C. Ross, 2008. MicrocosmA Systems Engineering and Systems Integration Sandpit. Asia-Pacific Conference on
Systems Engineering - APCOSE, Japan.
Morgan, S. 2008. Programming Microsoft Robotics Studio, Microsoft Press, US.
Nielsen, H. F. and G. Chrysanthakopoulos. 2008. "Decentralized Software Services Protocol
– DSSP/1.0."
http://download.microsoft.com/download/5//6/B/56B49917-65E8494A-BB8C-3D49850DAAC1/DSSP.pdf.
Norman, D. and M. Kuras 2006. Engineering Complex Systems. Complex Engineered
Systems: Science Meets Technology. D. Braha, A. Minai and Y. Bar-Yam, Springer.
35
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
36
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
MAKING ARCHITECTURES WORK FOR ANALYSIS
Ruth Gani B.AppSc., Simon Ng BSc./BEng. PhD.
Joint Operations Division
Defence Science and Technology Organisation
INTRODUCTION
Capability integration is an important step towards delivering joint capability for Defence—
indeed, interoperability is central to enabling effective joint, combined and coalition
operations. In the words of the Department’s Defence Capability Development Manual, ‘Joint
interoperability is to be seen as an essential consideration for all ADF capability
development proposals’ (Australian Department of Defence 2006, p47).
A central component of ensuring interoperability is the integration of systems across
capabilities. According to Weill from the MIT Center for Information Systems Research
(Weill 2007), the enterprise architecture is the ‘organising logic for key business process and
IT capabilities reflecting the integration and standardisation requirements of the firm’s
operating model’. The Australian Department of Defence has adopted an enterprise
architectures approach through the Defence Architectural Framework (Australian Department
of Defence 2006, p47). The Chief Information Officer Group states that the application of the
Defence Architectural Framework ‘enables ICT architectures to contribute to effectively
acquiring and implementing business and military capabilities, ensuring interoperability, and
value for money and can be used to enhance the decision making process’ (Chief Information
Officer Group, 2009)
Architectures are intended to document a system in order to support reasoning about that
system. This encompasses the use of the architecture to manage and direct system changes, to
measure system effectiveness and performance and to describe and visualise the system
(Institute of Electrical and Electronics Engineers, 2000). As such, architectures must be
tractable from this perspective. Unfortunately, the utility of architectures can be limited by
poor appreciation of their potential to support this sort of reasoning or by a lack of
understanding of who might qualify as an ‘end-user’ of the architecture.
The Defence Science and Technology Organisation (DSTO) plays an important role in
supporting Defence capability development and acquisition projects. Part of this role is to
examine the risks and mitigation strategies associated with the integration of the project into
the wider Defence capability. As such, DSTO can be an ‘end-user’ of the architectures
developed as part of the capability development process (DSTO can, of course, also be
involved in the development of architectures for Defence). This paper reports on lessons on
the use of architectures drawn from DSTO’s support to a key Defence capability acquisition
project. It demonstrates the importance of documenting architectures in a manner that makes
them useful for reasoning by presenting the remedial efforts that were needed to make the
extant project architecture amenable to analysis.
Because of the classified nature of much of the material related to the Defence project in
question, the name of the project and details of the proposed system options under
consideration have been withheld.
37
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
OVERVIEW
The aim of the DSTO study presented herein was to answer two questions:
1. What were the important interoperability requirements and associated information
domain standards necessary for the new Defence capability to operate within the
Defence Information Environment (DIE)?
2. What was the impact of poor interoperability (due to poor standards compliance)
on the new capability’s capacity to conduct its missions and to meet defined
information exchange requirements?
These questions were answered by comparing standards associated with the information
exchange requirements identified by the project with standards defined for the Defence
Information Environment, producing a ‘degree of compliance’ rating. If the degree of
compliance was 1, then the capability being developed by the project would be fully
interoperable (within the limits of resolution of the study). If the degree of compliance was 0,
then the capability would not be interoperable at all.
THE DEFENCE INFORMATION ENVIRONMENT
Defence
Information
Domains
(DID)
Management
Operations
Policy and Doctrine
Organisation and Structures
People and Training
Information Management
Data
Defence
Information
Infrastructure
(DII)
Sensors
Processes and Procedures
User applications
Common Services
Information Interoperability
Information Management
Defence Information Environment
Weapons
User devices
System Hardware
Networks/Datalinks
Bearers
Fixed
Coalition
Allies
OGOs
Industry
NII
Deployed
Figure 1. A logical representation of the DIE.
The Defence Information Environment (DIE) as represented in Figure 1 (above) is divided
into layers. Specific layers were of particular relevance to the project, those being:
x the Data, User Applications and Common Services layers of the Defence Information
Infrastructure (DII);
38
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
x
x
the information management aspects of the Network/Datalinks; and
the Bearers layer.
Each layer of the DII has an associated set of approved standards which are documented
within the Approved Technology Standards List (Chief Information Officer Group 2006). The
capability on which this study was focussed exists in the space defined by sensors and
weapons to the right of the diagram. This capability interfaces with other entities (be they
ships, planes or headquarters) through the DIE.
SOURCING DATA AND INFORMATION
Data concerning three types of entities were required for DSTO’s purpose:
x data concerning the Information Exchange Requirements between the new capability
and the DIE;
x a list of relevant DIE standards (current and likely future); and
x a list of missions that might need to be undertaken in the context of Defence fielding
the new capability.
The project’s architecture data provided the central source of information about the types of
information exchanges needed between the new capability and the broader Defence
Information Environment. In other words, the architecture products, the project Operational
Concept Document (OCD) and other project documents (such as the preliminary Functional
Performance Specification (FPS) and the Communication Information Systems (CIS) report)
articulated the types of information that needed to be exchanged, the methods and media that
would be used to exchange the information and some of the associated standards.
Standards associated with the DII layers of interest were sourced from the Approved
Technology Standards List (ATSL) and other Defence documentation. Future standards
assumed the adoption of the US Distributed Common Ground System Integrated Backbone
(DIB) standards into the DIE.1
A list of the missions being undertaken by the new capability were contained within the OCD.
However, the architecture products were expressed in terms of scenarios, which were too
context specific for generating statements of generic mission effectiveness into the future. The
missing mission data was extracted from the OCD (for the new capability) and other doctrinal
sources for other capabilities (nodes) in the system with which information exchanges were
required.
ARCHITECTURE DATA: THE UNDERLYING PROBLEMS
As stated, the design of an architecture is mediated by the purpose for which it will be used.
The architecture provided with the project’s OCD was flawed across a number of levels.
x
The architecture was developed in a fragmented way.
The key ‘operational view’ data that form the DAF were developed for the project
under two different contracts at two different times. This led to inconsistencies that the
adoption of a framework approach aiding configuration management is meant to
avoid. Specifically, items of information specified in one area of the architecture were
1
References related to the project or restricted Defence information are not included.
39
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
inconsistent, in terms and definitions, with items specified in other parts of the
architecture. This made it impossible to directly trace from operational activities to
information exchanges between nodes. The answer to the question ‘what activity does
this information exchange relate to’ could only be guessed at. A second inconsistency
was the use of missions as the basis of one area of the architecture and scenarios as the
basis of the other. These fundamental disconnects made interpretation of the
relationship between operational entities, information and operational activities very
difficult.
x
The architecture consisted of views, but very little documented underlying data.
An architecture is a collection of data and data relationships. Unfortunately, the
architecture provided by the project was a set of ‘views’—diagrams—with no explicit
information about underlying data structures or relationships. No repository existed
that could be filtered, sorted or in any way manipulated. In essence, the architecture
products supplied as part of the OCD were aimed at securing transit of the document
through ‘first pass’, but they were poorly suited to our analytical purposes and (as
shall be seen) required considerable data ‘scrubbing’.
x
The elements of the architecture were ambiguous.
Development of the elements of the architecture was not done consistently. For
instance, capability nodes were defined at different levels of resolution: weapons
hardware, radar systems, individual ship types and a surface action group (SAG) were
all present as nodes with relationships expressed as information ‘needlines’ between
them. There was no indication as to which ships constituted a SAG and which ships
within the SAG might be responsible for each needline. Some decision early on as to
the fidelity required for analysis could have saved effort in the long run.
Another problem was in the expression of Information Exchange Requirements (IERs)
in the IER matrix. A sample of the IER matrix showing one of the hundreds of IERs
processed is shown in Table 1 (below).
Table 1: Selected columns for a row in appearing in the IER matrix.
Information
Element
Name
Content
Description
Triggering
Element
Activity
Producer
Consumer
Media
System
Media
Method
Temporal
Information
Weather
forecasts
Weather
Forecasts
(incl.
visibility)
Bureau of
Meteorology
(BOM)
Start of
Mission
BOM
Command
and Control
Headquarters
Internet
Line
1 way
The IER matrix was a primary source of information for the study, but it contained
significant ambiguities. The IERs were described as being ‘one way’, ‘two-way’,
‘network’, etc. and multiple information types were identified for each IER. The ‘oneway’ IERs were manageable; ‘two way’ or ‘network’ made it difficult to determine
which information was flowing in what direction.
The ‘media system’ and ‘media method’ fields were occasionally populated by
multiple data options. For instance, if the system field contained ‘Mainframe, PC,
Mac, Notebook’ and the method field contains ‘wireless, network, hand carriage, line
of sight, beyond line of sight’ then decisions must be made as to which of the cross-
40
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
product (system x method) options were valid and needed. Some combinations could
be automatically ruled out (mainframe x hand carriage) but it wasn’t possible to
determine whether other combinations made sense and whether or not they were
essential to meeting the IER. In some cases the systems or methods mentioned were
not discrete (eg. TADIL, Datalink, Link A), leading to boundary problems. If an IER
mentions Link A, do you also relate it to Datalink and TADIL? Problems can be
introduced by broadening the scope of node to node IER media methods and systems.
x
The ‘users’ or purpose of the architecture was not well understood.
It was clear that the architecture views were developed to facilitate a stage in the
approval of the project. This doesn’t preclude the appropriate development of the
architecture for other uses, but the caveat attached to the front of the architectural
views stated that no analytical purpose had been established as part of the design brief
for the architecture. In other words, the developers of the architecture were not given
an explicit statement of all the uses to which the architecture would be put, although
they may very well have made implicit assumptions about what the architecture might
be used for and by whom it might be used.
Some of the problems raised above could have been avoided at the design stage of the data
gathering process. Much of the effort in the study was in correcting or compensating for the
above data consistency and configuration problems.
FIXING AND RECONCILING THE UNDERLYING DATA
Given the challenges inherent in the architectural views supplied in the project’s OCD, two
options were available:
1. Load the views into a Commercial Off-The-Shelf (COTS) architectural product; or
2. Create a purpose-built relational database to house the study data and implied data
relationships derived from the OCD views supplied.
The first option (COTS) entailed purchasing software licenses and training staff to a
reasonable level of expertise. Further, it wasn’t possible to guarantee that a COTS tool would
easily accommodate such ill-configured data. Ironically, configuration management may have
limited our flexibility in manipulating and analysing what poor data was available. Due to
these risks and costs, this option was discounted.
The second option required the creation of a simple relational database with just enough detail
to support the data we had available using Defence application tools already in place. We
chose to create a lightweight prototype for the purposes of supporting this project alone: it
would be flexible (or slack) enough to accommodate the badly formed data. Importantly, it
would provide a queriable repository, one that wasn’t available from the project architecture
itself.
To construct the database, it was necessary to define the logical relations between the data of
interest within the OCD architecture views. The logical relationship between data types are
described in the Entity Relationship Diagram (ERD) in Figure 2 (below).
41
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Scenario
Media
IER
Need
Cardinality
one
two
one or more
Node
Figure 2. Logical IER matrix Entity Relationship Diagram.
Unfortunately, this relational model was not broad enough in scope to address the analytical
questions the study wanted to answer, and so it was extended to accommodate the standards
list and missions list, as seen in Figure 3 (below). Standard data was related to the media
methods and systems that needed to comply with the standards. Missions were related to IERs
that supported the mission activity and nodes that were actually involved in carrying out
mission activities.
Scenario
Standard
Media
IER
Need
Cardinality
one
two
zero or more
one or more
Node
Figure 3. Extended logical Entity Relationship Diagram.
42
Mission
DataSource
Organisation
Standard
MediaMethod
MediaType
MediaSystem
NodeMediaMethodMapping
NodeMediaSystemMapping
IERMediaMapping
Node
IER
43
Figure 4. Final Entity Relationship Diagram for the study database
zero or one
one
two
zero or more
one or more
Cardinality
StandardMediaMethod
Mapping
StandardMediaType
Mapping
StandardMediaSystem
Mapping
MissionNodeMapping
Need
ScenarioIERMapping
Band
Activity
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Mission
IERMissionMapping
Scenario
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This logical structure was instantiated as a simple MS Access database. To reduce
duplication, tables to facilitate many-to-many relationships were introduced. This ensured that
the lookup or ‘mapping’ tables containing the table ‘joins’ were insulated from entity data
changes. Such relationship tables appear in the Figure 4 (above) as tables whose names end in
‘mapping’ (ie. IERMediaMapping).
Entity data was entered using various methods:
x by file import into the appropriate table (DIB data into the Standards table);
x using cut-and-paste on a record-by-record basis (ATSL data into the Standards table);
x executing insert queries (duplicating each ‘two-way’ IER to create two ‘one-way’
IERs with reversed source and sink nodes); and
x by manual data entry (Scenario, Mission, IER, Need, Node, Media).
After the data was entered, we tested the system by recreating the IER matrix using database
queries and matching the output against that provided in the OCD. Other queries showing
Node - Mission relationships and Node - IER Method - IER System relationships were also
generated and scrutinised for error.
This building of an enriched relational database was the first step in tackling the shortcomings
inherent in the original data. Not only did it correct these shortcomings, but it also provided a
repository through which questions linking different parts of the architecture could be asked
and meaningful answers arrived at. For example, based on this newly constructed database, it
was possible to ask questions like ‘what will the mission impact be if the project adopts a
standard for this tactical data link that mismatches with the standard mandated in the ATSL?’.
This presented a significant step forward in making the data analysable, and it highlights the
importance of understanding the purpose for which the architecture is built.
DEVELOPING AN ANALYSIS APPROACH
The analysis approach involved generating a score for each IER’s compliance with the
identified standards and then aggregating the scores in order to give meaning at a systemic
level. It was of little or no value to simply provide the project with a view of which media
systems had poor interoperability, but it was useful to highlight risks to mission outcomes that
arose from this lack of compliance. Therefore, the compliance score for an IER is the
aggregation of all media system and media method scores associated with the IER. A media
score is related to how many standards associated with the media are duplicated between the
new capability standards list and the DIE standards list. When considering the future DIE, we
incorporated the ‘other’ (DIB) standards into the DIE standards list. See Figure 5 (below) for
a pictorial view of the aggregation. Note that the fidelity and confidence in the resulting
scores diminishes at each level as the score is diluted by continual aggregations and outliers
are camouflaged.
Three cases were explored: worst case, medium case and best case. In the medium case
analysis, it was assumed that the risk associated with information exchange to and from the
proposed system was proportional to the fraction of standards common to the system and the
DIE (incorporating the DIB in the case of the future standards analysis).
44
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Low
Sink Mission
IER
Media System
Media Method
Standards
Confidence
Needline
High
DIE standards
Proposed system
required standards
Other standards
Figure 5. The data structure supporting the analyses undertaken.
To illustrate the method used here, consider the analysis of system compliance with the DIE:
1. Each standard was assigned a value of:
‘1’ if it was common to both the proposed system and the DIE; or
‘0’ otherwise;
2. For each media method, two scores were determined:
a. the ‘Positives’, which was the number of standards relevant to that media
method that were marked as ‘1’;
b. the ‘Total’, which was the total number of standards relevant to that media
method.
If the ‘Positives’ equalled the ‘Total’ then all standards associated with a media
method were, by definition, common to both the proposed system and the DIE. A
similar procedure was used to score the media systems.
3. The degree of compliance for each IER was determined as follows:
For an example IER with one associated media system:media method pair A:A’, the
compliance score P is determined by:
P
c( A, A' )
­
° 0, if A
0
°
°
0
® 0, if A'
°
° Positives(A) Positives(Ac)
otherwise
°
Total(A) Total(Ac)
¯
45
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
In the medium case analysis for IERs with more than one media system:media method pairing
the average of the compliance scores for the IER was calculated:
N
P for an IER with N media pairs
¦ c (O , O ' )
O
A
N
An identical approach was used to determine the degree of compliance for each needline and
mission.
In the best and worst case analysis, it was assumed that the risk associated with information
exchange between the proposed system and the external environment was determined by the
best or worst case risk associated with a given media system:media method pair, but
otherwise the approach was for all intents the same as that described above. An identical
approach was taken to determine the degree of compliance for each needline and mission. The
best/worst case analysis provides an idea of the risk spread for a given IER or mission.
REPRESENTING RESULTS
A challenge for any analysis is to represent results in a way that is meaningful to the client. In
this study, simply stating the compliance levels across information exchanges would have
conveyed the underlying analysis but not expressed it in terms that the clients (military
operators) would be likely to appreciate. Instead, considerable work was done to build the
relational database to allow the impact of poor compliance on missions to be determined. A
simple scheme was used to express the risk to mission failure.
Results were presented in a client report to the IPT in graphical and tabular form. The risk
profile graphs for IERs and Missions were presented and the implications for Defence
discussed. A sample graph is shown in Figure 6 (below):
In an attempt to focus any remedial effort and identify ‘low-hanging fruit’, a coarse sensitivity
analysis was done. The results were included in the client report in graphical form akin to
Figure 7 (below). It is clear from such an output that further work regarding options for
improving the compliance of ‘System X’ should have a positive effect on mission risk.
To allow the Defence project team to conduct further investigation, the client report was
accompanied by the study tools (database and spreadsheet) in electronic form—that is, the
database was not only used to support the DSTO study, but also as a tool for ongoing analysis
within the project itself. The project team have the option of using the tools to check their
high-level compliance as standards or documents develop throughout the future life of the
project. This transfer of knowledge in explicit form adds value to the analysis already
undertaken.
46
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Sink Mission Risk Profiles
0.6000
Proportion
0.5000
0.4000
0.3000
0.2000
0.1000
0.0000
Best case
Medium case
Worst case
Very High (0.0<P<=0.2)
0.0220
0.1500
0.1600
High (0.2<P<=0.4)
0.0280
0.2600
0.3700
Moderate (0.4<P<=0.6)
0.4200
0.3300
0.4700
Low (0.6<P<=0.8)
0.5300
0.2600
0.0000
Very Low (0.8<P<=1.0)
0.0000
0.0000
0.0000
Risk Cases
Figure 6 Proportion of Missions in each risk category as a result of non-compliance of standards
between the proposed system and the DIE (numbers are illustrative not actual).
Normalised contribution to IER compliance
M edia Systems: Sensitivity
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Au
di
N
o
et
w
or
k
J
D
at
a
D
at
al
in
N
k
et
w
or
k
Sy
I
st
em
Sy
Z
st
em
W
In
te
rn
et
Sy
st
em
Sy
X
st
em
Y
Li
nk
A
Li
nk
C
Li
nk
N
on
B
-v
M
ol
an
at
u
al
il e
M
ed
ia
Se
Li
lf
nk
pr
D
ot
ec
tio
n
TA
D
IL
Vo
ic
e
0
Media system
Figure 7 The relative contribution made by each media system (top) and media method (bottom) to the
overall compliance performance and associated risk of the proposed system’s information exchange
with the broader DIE (results are illustrative only).
47
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Apart from advice concerning the proposed system’s interfaces, the DSTO has made many
recommendations about the architectural products supplied as part of the OCD. The Defence
project team are now investing in their capability architecture as an important engineering and
analysis tool. The faults that were identified in form and content have been taken on board
and a coherent, self-consistent architecture is currently being produced.
CONCLUSIONS
Architectures form the basis for reasoning about systems. In Defence, they are a mandated
part of the capability development process. However, projects often lack an appreciation of
the likely uses to which an architecture may be put. This paper has highlighted the importance
of considering the users in any development of an architecture. It has flagged specific
shortcomings in the data presented to DSTO by the project and detailed the effort that went
into remedial work. This level of effort is costly and time consuming, and would be obviated
if a more encompassing approach to the development of the architecture took place up front.
Finally, it has flagged several important lessons, which may seem obvious conceptually but
which are often overlooked in capability development:
x
x
x
x
An architecture is only as valuable as it is consistent, coherent and documented.
Views, mismatches in resolution or elementary content and lack of specificity
undermine the utility of the architecture in supporting reasoning;
Any compliance process must take into account the quality and validity of the
architectural data and products, not just the form of the Architectural views. Defence
should assess whether their compliance process meets such a goal;
Analysis of architectural data requires the data to be contained in analysable form, but
it isn’t enough to perform the analysis: the results must be meaningful to the end
audience. To make it meaningful requires an understanding of the end audience and
the questions they are ultimately going to want answered. This information, in turn,
dictates the form of the architecture. Often, multiple audiences exist and multiple
questions need to be answered, which amplifies the need to move beyond views
towards a structured repository; and finally,
Transferring knowledge isn’t simply about providing advice and recommendations; it
is also about transferring tools and the capacity for analysis to the end user.
REFERENCES
Australian Department of Defence, (2006) Defence Capability Development Manual, Defence
Publishing Service, Canberra.
Chief Information Officer Group, (2006) Defence Information Environment (DIE) Approved
Technology Standards List (ATSL) (version 2.5), Canberra.
Chief Information Officer Group, (2009) Directorate of Architecture Practice Management
(DAPM) - Defence Architecture Framework. [Online] (Updated 6 Apr 2009)
Institute of Electrical and Electronics Engineers, (2000) IEEE Std-1471-2000 Recommended
Practice for Architectural Description of Software-Intensive Systems, IEEE.
Weill, P. (2007) Innovating with information systems: what do the most agile firms in the
world do?, Proceedings of the 6th e-Business Conference-PwC & IESE. Barcelona, Spain
27 March 2007.
48
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
SYSTEMS ENGINEERING IN-THE-SMALL: A PRECURSOR
TO SYSTEMS ENGINEERING IN-THE-LARGE
Phillip A. Relf1; Quoc Do3; Shraga Shoval3; Todd Mansell2;
Stephen Cook3, Peter Campbell3; Matthew J. Berryman3
1
2
3
Raytheon Australia, email: [email protected]
Defence Science and Technology Organisation, email:
[email protected]
University of South Australia email: Matthew.Berryman, Peter.Campbell, Stephen.Cook,
Quoc.Do, Shraga.Shoval {@UniSA.edu.au}
Abstract – The teaching of the systems engineering process is made problematic due to the
enormity of experience required of a practising systems engineer. A ‘gentle’ project-based
introduction to systems engineering practice is currently being investigated under the
Microcosm programme. The Microcosm programme integrates a robotics-based system-ofsystems, as the first stages in building a systems engineering teaching environment. Lessons
learnt have been collected from the Microcosm Stage One project and the systems
engineering processes, used during the project, have been captured. This paper analyses the
processes and lessons learnt, compares them against typical large-scale Defence systems
engineering projects, and discusses the lesson learnt captured by the systems engineers who
had been working in-the-small. While executing the case study it was found that the lessons
learnt which are known to industry, would have been militated against their occurrence by
the use of robust industrial systems engineering processes but that the Microcosm project
schedule, with these industrial processes, would have been exceeded. As the Microcosm
Stage One project was successfully completed, effort must now be expended to ensure that the
participants understand the limitations and strengths of systems engineering in-the-small
procedures and also understand the issues associated with the scaling up of the procedures.
INTRODUCTION
This paper reports a case study of a systems engineering project that was conducted in-thesmall namely the Microcosm Stage One project; and contrasts the lessons learnt against
industrial systems engineering in-the-large practices. Where possible the relevant industrial
practices are cited from published papers. Finally, recommendations to balance the education
of systems engineers, who have only worked in-the-small, are given to offer appreciation for
working in-the-large.
49
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
BACKGROUND
Contrarytopopularbelief,systemsengineeringhasbeenwithusforsomeconsiderabletimebutwe
arestillstrugglingtodefinewhatitisandtounderstandhowtoteachit.Wearedoggedinourneed
tobuildincreasinglycomplexsystemsbutarefrequentlybeinghinderedbyourowncognitive
limitations.Microcosmisasystemsengineering‘sandpit’thatisdesignedtoallowournovice
systemsengineerstolearntheexplicitandtacitknowledgerequiredofasystemsengineer,and
guidethemonthepathtotransitionfromsystemsengineeringinthesmalltosystemsengineering
inthelarge.
Systems Engineering Scope and History
McQuay (2005) surveyed the literature and reports that a general consensus of the scope of
systems engineering has been achieved but Concalves (2008) notes that this has not always
been the case. Traditionally, systems engineering has used the “V” model (i.e., top-down
definition, and bottom-up integration and test) (Walden 2007) and has been characterised by
systems engineering standards such as ANSI/ITAA EIA-632, IEEE Std 1220, ISO/IEC 15288
and MIL-STD-499, to name a few. Systems engineering in its simplest manifestation is
concerned with the design of the whole and not with the design of the parts (IEEE 2000).
Lightfoot (1996) defines systems engineering as the controlled application of procedures,
standards and tools to a problem such that the developed solution manifests to satisfy a
specific need. INCOSE (2009) expands on this definition:
Systems Engineering integrates all the disciplines and specialty groups into a team
effort forming a structured development process that proceeds from concept to
production to operation. Systems engineering considers both the business and the
technical needs of all customers with the goal of providing a quality product that
meets the user needs.
Systems engineering was born out of World War II (Brown and Scherer 2000). Since the
1940’s the Defence sector has used systems engineering practices to develop complex
systems (McQuay 2005) which have been used to coordinate information, material and people
in the support of operational missions (Brown and Scherer 2000). However, systems
engineering practice continues to suffer unrest driven by economic and political pressures
(Hellestrad 1999). As an example, in 1994 The Secretary of Defence directed that
commercial off-the-shelf (COTS) equipment should be used to encourage open systems
architectural development and as insurance against obsolescence issues (IEEE 2000), hence
changing the scope of systems engineering practice in the process. Specifically, the
importance of systems requirements in the systems engineering lifecycle of new projects has
been reduced substantially as COTS equipment, by definition, already exists and has been
built to another customer’s system requirements specification.
Classical systems engineering is essentially a sequential, iterative development process that
results in the generation of a system (Rebovich 2008). The systems engineer works on the
assumption that the classical systems engineering process is driven by requirements which
ultimately result in a system (Rebovich 2008, Meilich 2005). However, classical systems
50
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
engineering is outmoded (Rebovich 2008) particularly due to the complexities imposed by the
use of COTS equipment as system components (Dahmann and Baldwin 2008, Walden 2007,
Rickman 2001). It has been recognised that the essence of systems engineering has become
how to integrate the system components into a whole (Chase 1966). More recently,
academics and practitioners alike now refer to systems integration as the process being
undertaken in the development of systems (Ai and Zhang 2008, Mindock and Watney 2008,
Meilich 2005). However, industry strongly rejects the practice of using “systems integration”
as a synonym for “systems engineering” as it creates confusion in that the term would refer
both to an engineering discipline and to a step in the systems engineering lifecycle.
Systems Engineering Process
Boarder (1995) analysed the systems engineering process and identified 400+ unique
activities. While using these activities to guide the development of a relatively simple system,
a total in excess of 1,000 distinct activities were subsequently identified (Boarder 1995).
Independently, Raytheon have developed their Integrated Product Development System
(IPDS) which, at the lowest level, contains over 1,000 activities (Rickman 2001). The
Raytheon IPDS integrates three systems engineering lifecycle models (i.e., evolutionary,
spiral and waterfall) into a tailorable systems engineering process (Rickman 2001). The
employment of such complex procedures may appear excessive to the novice but none the
less, the effective application of the systems engineering process can reduce the cost of
developing a system by the prevention of errors and hence results in the reduction of rework
(Lewkowicz 1988).
Education Needs
Lann (1997) stated that systems engineering was the “least rigorous” of the accepted
engineering disciplines. Given this assertion, it is apparent that some concerted education
effort was required but how to proceed? Systems engineering encompasses both technical
and non-technical (i.e., cultural, economic, operational, organisational, political and social)
contexts (Rebovich 2008, Stevens 2008, Lee 2007). In addition, a systems engineer must be
taught problem solving techniques but an undue influence on this aspect can in actuality
retard the learning of other systems engineering skills (Concalves 2008). Systems engineers
must also be taught how to manage complexity: including management complexity,
methodology complexity, research complexity and systems complexity (Thissen 1997).
However, due to the scope of systems engineering (see the INCOSE definition as an
example), one person cannot be expected to hold all the prerequisite skills and hence systems
engineering must be practised by a team of individuals who collectively hold the prerequisite
skills (Concalves 2008). Existing systems engineers have agreed that systems engineering
leaning can only effectively occur though experience and that guided experimentation is the
best approach (Newman 2001). As formal education has been based extensively on the
delivery of explicit knowledge (i.e., knowledge that can be readily communicated), a
paradigm shift is required to provide tacit knowledge (i.e., knowledge that cannot easily be
communicated – like learning how to ride a bicycle) (Concalves 2008).
51
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
We need an ability to provide systems engineering capability if we are to sustain growth
while managing system complexity (Concalves 2008). However, this necessary systems
engineering knowledge, which is created in the minds of individuals, does not disseminate
throughout an organisation naturally (Pope et al. 2006). This knowledge must be actively
transmitted to those neophytes who will become the next generation of systems engineers.
Management have attempted to disseminate systems engineering knowledge by capturing this
knowledge within procedures and then mandating the use of these procedures within their
organisation. However, experience has shown that this practice fails and that systems
engineering knowledge is created only through the practice of relevant formal education
combined with applicable systems engineering experience (Chase 1966).
Currently there is a global shortage of systems engineers (Concalves 2008). There are
relatively few systems engineering degrees being awarded, which is further exacerbating the
problem. Brown (2000) has estimated that there are less than 500 BS, approximately 250
Master and approximately 50 PhD systems engineering degrees awarded per year in the US.
For the same year, the National Academics Press (2008) published figures of 413 BS, 626
Master and 75 PhD systems engineering degrees (which are in the same order of magnitude
ranges as the previous figures). These figures have only marginally increased to 723 BS,
1,150 Master and 104 PhD systems engineering degrees awarded in 2006 (The National
Academics Press 2008), compared to approximately 74,000 general engineering degrees
awarded in 2004 (IEE 2004).
Strategies to instil systems engineering competencies into general engineering graduates have
included: attending formal courses; developed either internally or externally to the company;
and providing on-the-job experience, which can be slow to achieve results made questionable
when not accompanied by appropriate theory (Concalves 2008). Asbjornsen and Hamann
(2000) suggest that a minimum of 300 hours is required to give an engineer only the most
basic systems engineering knowledge. However, industry can be reluctant to make this
investment and would prefer to employ suitably knowledgeable systems engineers. Hence,
the impetus to relegate systems engineering training to the universities has come from
industry (Asbjornsen and Hamann 2000).
When approached by British Aerospace to develop a systems engineering course,
Loughborough University had some concerns regarding the content of the degree (Newman
2001). The university interviewed potential supporters for the degree to identify the
expectation to be placed on the degree graduate’s abilities, knowledge and skills. It became
apparent that the students would require eight to ten years of formal course work just to learn
the engineering basics prior to teaching the knowledge particular to systems engineering
(Newman 2001). Loughborough University subsequently developed a less ambitious four
year systems engineering BEng degree and a five year Master degree. The university found
that in addition to the usual student attributes, the systems engineering Master degree
students: provided mutual support to their fellow students; had a strong sense of identity;
demonstrated a strong ability to cope with change; were able to provide innovative solutions;
and were comfortable presenting their work in open forums (Newman 2001).
52
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
The USAFA have also developed a four year systems engineering Bachelor degree. The
USAFA degree in first year introduces students to systems engineering by having the students
develop a boost glider where they must use aeronautical engineering to support their system
design, astronautics engineering to launch the glider, electrical engineering to effect control
during glider flight, mechanical engineering to develop a robust design, and civil engineering
to build a launch pad (George 2007). The John Moores University, Liverpool has also
employed experimentation as part of their systems engineering education programme. The
university has used a systems engineering project employing a robot design for many reasons.
Some of these reasons include: the ability to use a simple design which is readily
understandable by first year students; the project has a particular relevance to the electrical
and manufacturing component of systems engineering; and the project is readily extendable
making it ideal as a student project (Boyle and Kaldos 1997).
The teaching of systems engineering, similar to the execution of complex systems engineering
projects, must be addressed incrementally. The University of Queensland found that the
IEEE Std 1220 standard proved to be too complicated in its untailored form for the students to
understand (Mann and Radcliffe 2003). Novice engineers have difficulty assimilating
systems engineering concepts as they are unable to see their relevance to the task (Mann and
Radcliffe 2003) and have an incomplete appreciation for what can go wrong in a project
(Concalves 2008). Similarly, the sequence in which systems engineering concepts are
presented is important to trainee systems engineers. As an example, systems engineers
working on small systems may develop a process based on their experiences with these
systems and become unable to modify their approach to address more complex systems
engineering challenges even in the face of evidence that their processes are inadequate
(Concalves 2008). The primary author has noted that another oversight in the education of
systems engineers is that they are not generally taught to recognise systems engineering
problems that are too complex for the waterfall or even the spiral models for system
development and an evolutionary model must, in these instances, be employed.
Systems Engineering In-The-Large
Systems engineering academia and practitioners alike now recognise that the engineering of
small-scale bounded predictable systems (i.e., systems engineering in-the-small) is inherently
different from the engineering of large-scale complex systems (i.e., systems engineering inthe-large) (Stevens 2008). Watt and Willey (2003) list the specific characteristics of largescale systems engineering projects that make them different from small-scale systems
engineering projects i.e.:
x
x
x
x
Management of subcontractors.
Management of factors that are considered to be high risk.
Competing view points between stakeholder held system priorities.
Integration of multiple system components and multiple technologies, some of which
may not exist at project start.
53
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
x
x
Development cycles measured in years and operational life-span measured in decades,
which has an impact on obsolescence issues and which must be considered during the
design phase of the project.
Typically funded by large organisations, with large budgets and often with high public
visibility.
When integrating COTS equipment to build a system-of-systems, the initial system
requirements are often changed to allow for unambiguous mapping to the individual COTS
equipment (Walden 2007, Rickman 2001). Similarly and quite often COTS equipment does
not seamlessly integrate with other COTS equipment, and ‘glue’ and/or ‘wrapper’ software is
required to effect the actual systems integration (Walden 2007). This software is typically
supported, within large systems engineering projects, by a single software entity often called a
Data Server or more recently as an Integration Backbone (Raytheon 2009).
CASE STUDY METHOD
A literature review was conducted to discover the current and historical scope of the systems
engineering domain. This literature review also covered the known failings apparent in
systems engineer training, particularly with reference to the transition from systems
engineering in-the-small to systems engineering in-the-large. The result of the literature
review has already been presented within the Background section of this paper.
Industrial systems engineering processes and the actual industrial practices, that the primary
author has been privy to, were compared to the practice demonstrated on a small systems
engineering project. The primary author has been closely involved with the Microcosm Stage
One engineering project and also conducted interviews with the participants to understand
their practices during the project. Judgement was made as to whether the industrial systems
engineering processes could have alleviated the issues encountered by the Microcosm Stage
One project systems engineers. For a description of the Microcosm Stage One project, see
Mansell et al. (2008).
CASE STUDY RESULTS
The Microcosm programme (Mansell et al. 2008) has commenced the development of a
systems engineering ‘sandpit’, using robot vehicles and airships, to teach necessary theory
and skills to systems engineering students. The case study used the Microcosm programme as
an example of systems engineering in-the-small and contrasted this program against various
industry projects such as the Air Warfare Destroyer (AWD), Jindalee Operational Radar
Network (JORN) and the Collins Replacement Combat System (RCS) projects which
represented systems engineering in-the-large. The comparison was made by the primary
author who has in excess of thirty years engineering experience.
Results – Systems Engineering Process
In the absence of a formal systems engineering procedure, an industrial process was heavily
tailored and captured as a series of activities described within a Project Management Plan
(PMP) on behalf of the Microcosm systems engineers by an industry experienced systems
54
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
engineer. The Work Breakdown Structure (WBS) contained within this industrial PMP
proved to be too ambitious for the project schedule. This industrial PMP was abandoned and
a lighter-weight PMP was developed by the staff who would be actually executing the
Microcosm Stage One project. During the planning stage the Microcosm systems engineers
were introduced to several tools (e.g., project scheduling software, the WBS concept) that not
all members of the team were familiar with. This familiarisation process took time from the
schedule.
The industrial PMP referenced 95 activities in a WBS, which was reduced to 31 activities in
the lighter-weight PMP. A corresponding reduction in effort saw the estimate of effort reduce
from 3.01 person years to 1.09 person years. The Microcosm Stage One project was
completed with an expenditure of 1.31 person years but as was noted above, some time was
lost in tool familiarisation, which was not accounted for within the project schedule and some
rework was also required to progress the project.
The systems engineering process actually used by the Microcosm Stage One project was to
conduct a needs analysis; develop a number of indicative scenarios; develop the system
architecture; conduct requirements analysis followed by; system design; system
implementation (i.e., build); system integration; and system test and evaluation. The needs
analysis was informally communicated to the participants by a PowerPoint presentation and
formally tracked using an Excel template developed to support the needs analysis activity
(Shoval et al. 2008).
The scenario definition (which were labelled as ‘use cases’ by the Microcosm systems
engineers) broadly consisted of: (1) provision of a systems engineering environment; (2)
provision of post graduate courses; (3) investigation of human-machine interfaces; (4)
autonomous vehicles research; (5) investigation of model-based systems engineering
approach; and (6) a demonstration of the robot vehicle’s operation.
The Microcosm Stage One architecture describes three systems, i.e.; the Modelling and
Simulation Control system; Microcosm Information Management system; and the Microcosm
Physical system. The system architecture was described using the Department of Defense
Architecture Framework (DoDAF): High-Level Operational Concept Graphic (OV1),
Operational Node Connectivity Description (OV2), Systems/Services Communications
Description (SV2) and functional flow diagrams.
The systems requirements were not formally captured but were presented on PowerPoint
slides during the Microcosm Stage One preliminary design review (PDR). The system design
was developed (extensively individually) by the relevant systems engineers and was jointly
presented during the PDR. Similarly, the system implementation, and system test and
evaluation were extensively developed by the responsible systems engineers.
The Microcosm Stage One system-of-systems was ‘sold off’ against a demonstration of the
sixth scenario (i.e., robot vehicles operation scenario), in the absence of any formally recorded
systems requirements. The first five scenarios defined by the scenario elucidation phase were
55
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
considered outside of the scope of the Microcosm Stage One project and hence were not
applicable to the ‘sell off’ of the Microcosm Stage One project.
Results – Lessons Learnt
The Microcosm Stage One project suffered from some rework, which resulted in a number of
lessons learnt by the Microcosm systems engineers (Do et al. 2009). The lessons learnt that
were documented by the Microcosm systems engineers are broadly grouped as: (1) program
management; (2) specialty engineering; and (3) COTS equipment related. In addition, lessons
learnt were also extracted during interviews with the Microcosm systems engineers and it
became apparent that they were dissatisfied with the level of their system documentation
effort and also with their system engineering risk assessment. As Colwell (2002) notes, large
systems require some considerable time to complete but that at completion the methods and
tools, successfully used on the project, may now be obsolete, necessitating that we continually
learn from our systems engineering endeavours.
The project management issues included but were not limited to the under estimation of work
effort, particularly the testing effort, consequently the project suffered from lack of staff
resources and project documentation suffered. The general work effort estimation and
specifically the testing effort estimation was acknowledged as being due to the inexperience
of the Microcosm system engineers who developed the schedule. Industry would typically
employ seasoned systems engineers who would also have access to historical data that could
be employed to support the effort estimates. Industry has learnt and continues to learn the
importance of allocating sufficient systems testing effort. For instance the Hubble telescope’s
early problems were partly due to inadequate systems testing (Colwell 2002) and
Constantinides (2003) states that the Mars Climate Orbiter and Mars Polar Lander were both
lost due to inadequate system testing.
The specialty engineering issues include but were not limited to configuration management,
system modelling and safety. The Microcosm Stage One project suffered during system
testing as it was difficult for the Microcosm systems engineers to identify tested software
modules from those software modules that were being actively modified. Industry recognises
this problem as a configuration management issue and implements configuration management
processes specifically to deal with this issue. The Microcosm systems engineers discovered
during system testing that their robot vehicle’s localisation software was unable to cope with
measurement inconsistencies introduced by the environmental conditions (i.e., uneven floor
surfaces). Industry would develop a system model which would, depending on the fidelity of
the model, could be expected to predict such issues as positional measurement
inconsistencies. Again during system testing, the robot vehicle went ‘rogue’, which could
have resulted in damage to the robot before manual action was forthcoming to secure the
robot vehicle’s motion. Industry would have employed a safety engineer whose task it would
have been to consider safety as a project risk. However, all of these industrial solutions are
applicable to systems engineering in-the-large and are of a lesser importance to systems
engineering in-the-small as demonstrated by the successful completion of the Microcosm
Stage One project.
56
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Industry have used systems engineering policy documents such as ISO/IEC 15288 (2002)
and MIL-STD-499C-Draft (2005) to develop their systems engineering process and as such
have empowered specialty engineers such as dedicated configuration management engineers
to manage project artefacts; modellers to model the proposed system architecture within the
real environment to validate the system design; and safety engineers to ensure that the system
design is safe to operate and does not cause unintentional damage. In the absence of a model
for the system processing performance requirements, the processing capability of the system
architecture was only found to be inadequate during system testing. Similarly, in the absence
of a functional executable model (i.e., simulator) the Microcosm systems engineers realised a
schedule slip when the COTS equipment failed and could not be repaired in a timely fashion.
The Microcosm systems engineers, who were under considerable schedule pressure at the
time, were not able to adequately document their system architecture and there is some
evidence that a hierarchical system architecture that affords ‘full instrumentation’ (i.e.,
adequate test points) was not achieved. Full instrumentation was an initial requirement for
the system architecture, see Mansell et al. (2008). Industry continues to learn these lessons
too. Beutelschies (2002) states that the loss of the Mars Climate Orbiter was due in part to the
lack of documented project-level decisions and lack of documented system architecture.
The COTS equipment demonstrated issues relating to a miss-match between asynchronous
and synchronous messaging; a disconnect between expected and actual measurement units;
and processing performance. In addition, the Microcosm systems engineers showed
frustration at their inability to access and hence modify the COTS equipment’s software.
Learning that COTS equipment must be handled as though it was a ‘black box’ was a useful
lesson as textbooks typically allocate very few pages to discussing COTS equipment.
However, industry too continues to learn from the use of COTS equipment. Colwell (2002)
recounts the loss of the Mars Climate Orbiter was actually due to a disconnect between units
of measurement and Lann (1997) argues that the loss of the Ariane 5 flight 501 was due to the
inappropriate reuse of the Ariane 4 software for use on a different rocket, supporting an
extensively different mission.
ANALYSIS
The industrial PMP was rejected on the grounds of its inability to support the imposed
schedule constraints of the project in favour of a lighter-weight PMP. Consequently the
lighter-weight PMP did not address certain activities, the presence of which would have been
able to militate against the potential for rework. This potential was realised and some rework
did occur. However, the lighter-weight PMP was obviously sufficient to complete the
Microcosm Stage One project and hence the possibility exists that the Microcosm systems
engineers, who used the lighter-weight PMP, may not necessarily appreciate the value of the
industrial PMP when scaling up for more complex projects.
CONCLUSIONS
We need to teach our fledgling systems engineers the systems engineering process, expose
them to systems engineering procedures and methods, and give them access to relevant tools.
57
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This exposure should be sufficient for them to recognise a systems engineering problem and
decompose it into necessary activities, and for the systems engineering student to be confident
enough to tailor the systems engineering process to meet the particular system development.
However, specifically from the experiences gained during the Microcosm Stage One project,
systems engineers need to be taught that there are inherent differences between systems
engineering in-the-small and systems engineering in-the-large and as a minimum these
differences are:
x
x
x
x
x
x
Systems engineering processes that are used for small system developments may not
necessarily work for large system developments.
Students need to practice effort estimation with exposure over many projects.
Students need to be given exposure to project management tools.
Students should be taught how to manage subcontractors.
Students need to be taught how to work in a team, document their work for the team
and to use strong Configuration Management processes that ensure that the team has
access to project artefacts in a known state.
Students need to be taught that they can’t expect to do every systems engineering task
proficiently, and that they should expect to specialise in some area of systems
engineering and be supportive of the team that culminates to provide the collective
systems engineering proficiencies.
Systems engineering students also need to be counselled that they need a full decade of
education and employment working as a systems engineer, before they can validly claim
the title of “Systems Engineer”.
REFERENCES
Ai, X.; and Zhang, Z. (2008) Study on Results-Oriented Systems Engineering (ROSE),
International Seminar on Future Information Technology and Management Engineering
ANSI/ITAA EIA-632 (2003) Processes for Engineering a System, Information Technology
Association of America (GEIA Group)
Asbjornsen, O. A.; and Hamann, R. J. (2000) Toward a Unified Systems Engineering
Education, IEEE Transactions on Systems, Man and Cybernetics, part C: Applications and
Reviews
Boarder, J. (1995) Systems Engineering as a Process, IEEE Systems Engineering for Profit
Boyle, A.; and Kaldos, A. (1997) Using Robots as a Means of Integrating Manufacturing
Systems Engineering Education, IEE Colloquium on Robotics and Education
Brown, D. E.; and Scherer, W. T. (2000) A Comparison of Systems Engineering Programs in
the United States, IEEE Transactions on Systems, Man and Cybernetics, part C: Applications
and Reviews
58
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Chase, W. P. (1966) System Design: Basic Realities and Common Myths, IEEE Transactions
on Aerospace and Electronic Systems, vol: 2, no: 4
Concalves, D. (2008) Developing Systems Engineers, Portland International Conference on
Management of Engineering & Technology
Dahmann, J.; and Baldwin, K. (2008) Understanding the Current State of US Defense
Systems of Systems and the Implications for Systems Engineering, IEEE International Systems
Conference
Do, Q.; Campbell, P.; Shoval, S.; Berryman, M. J.; Cook, S.; Mansell, T.; Relf, P. (2009) Use
of the Microcosm Environment for Generating a Systems Engineering and Systems
Integration Lessons Learnt Database, Improving Systems and Software Engineering
Conference
George, L. (2007) Engineering 100: An Introduction to Engineering Systems at the US Air
Force Academy, IEEE International Conference on Systems of Systems Engineering
Hellestrand, G. R. (1999) The Revolution in Systems Engineering, IEEE Spectrum, vol: 36,
issue: 9
IEE (2004) http://www.engtrends.com/IEE/1004D.php (accessed: 15May09)
IEEE (2000) Overview: What is Systems Engineering?, IEEE Aerospace & Electronic
Systems Magazine, Jubilee issue
IEEE Std 1220 (2005) IEEE Standard for Application and Management of the Systems
Engineering Process, IEEE
INCOSE (2009) Systems Engineering Scope Definition
http://www.incose.org/practice/shatissystemseng.aspx (accessed: 15May09)
ISO/IEC 15288 (2002) Systems Engineering – System Life Cycle Processes, International
Standard Organisation
Lee, D. M. (2007) Structured Decision Making with Interpretive Structural Modeling (ISM):
Implementing the Core of Interactive Management, Sorach Inc. Canada, ISBN: 0-9684914-13
Lewkowicz, P. E. (1988) Effective Systems Engineering for Very Large Systems: An Overview
of Systems Engineering Considerations, Digest of the Aerospace Applications Conference
Lightfoot, R. S. (1996) Systems Engineering: The Application of Processes and Tool in the
Development of Complex Information Technology Solutions, Proceedings of the International
Conference on Engineering and Technology Management
McQuay, W. K. (2005) Distributed Collaborative Environments for Systems Engineering,
IEEE Aerospace and Electronic Systems Magazine
59
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Mann, L. M. W.; and Radcliffe, D. F. (2003) Using a Tailored Systems Engineering Process
Within Capstone Design Projects to Develop Program Outcomes in Students, 33rd Annual
Frontiers in Education
Mansell, T.; Cook, S.; Relf, P.; Campbell, P.; Do, Q.; Shoval, S.; and Ross, C. (2008)
Microcosm – A Systems Engineering and Systems Integration Sandpit, Asia-Pacific
Conference on Systems Engineering
Meilich, A. (2005) Systems of Systems (SoS) Engineering & Architecture Challenges in a Net
Centric Environment, IEEE/SMC International Conference on System of Systems
Engineering
MIL-STD-499C-Draft (2005) Systems Engineering, Department of Defense
Mindock, J.; and Watney, G. (2008) Integrating System and Software Engineering Through
Modeling, IEEE Aerospace Conference
National Academics Press (2008)
http://books.nap.edu/openbook.php?record_id=12065&page=54#p200140399960054001
(accessed: 15May09)
Newman, I. (2001) Observations on Relationships between Initial Professional Education for
Software Engineering and Systems Engineering – A Case Study, Proceedings of the 14th
Conference on Software Engineering Education and Training
Pope, R. L.; Jones, K. W.; Jenkins, L. C.; Ramsev, J.; and Burnham, S. (2006) History of
Science and Technology Systems Engineering: The Histner, IEEE/AIAA 25th Digital Avionics
Systems Conference
Raytheon (2009) http://www.raytheon.com/capabilities/products/dcgs/ (accessed: 18May09)
Rebovich, G. (2008) The Evolution of Systems Engineering, 2nd Annual IEEE Systems
Conference
Rickman, D. M. (2001) Model Based Process Deployment, 20th Conference on Digital
Avionics Systems
Shoval, S.; Hari, A.; Russel, S.; Mansell, T.; and Relf, P. (2008) Design of a Systems
Engineering Laboratory Using a Scenario Matrix, Six Annual Conference on Systems
Engineering Research
Stevens, R. (2008) Profiling Complex Systems, 2nd Annual IEEE Systems Conference
Thissen, W. A. H. (1997) Complexity in Systems Engineering: Issues for Curriculum Design,
IEEE International Conference on Systems, Man and Cybernetics
Walden, D. D. (2007) The Changing Role of the Systems Engineer in a System of Systems
(SoS) Environment, 1st Annual IEEE Systems Conference
60
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Watt, D.; and Willey, K. (2003) The Project Management – Systems Engineering Dichotomy,
Engineering Management Conference, Managing Technological Driven Organizations: The
Human Side of Innovation and Change
61
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
62
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
SOFTWARE ENGINEERING
63
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
64
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
REQUIREMENTS MODELLING OF BUSINESS WEB
APPLICATIONS: CHALLENGES AND SOLUTIONS
Abbass Ghanbary,
Consensus Advantage,
E-mail: abbass.ghan[email protected]
Julian Day,
Consensus Advanatge
Email: [email protected]
ABSTRACT
The success of web application development projects greatly depend upon the accurate capturing of the
business requirements. This paper discusses the limitations of the current modelling techniques while capturing
the business requirements in order to engineer a new software system. These limitations are identified by
modelling the flow of information in the process of converting user requirements to a physical system. This
paper also defines the factors that influence the change in business requirements. Those captured business
requirements are then transferred into pictorial and visual illustrations in order to simplify the complex project.
In this paper, the authors define the limitations of the current modelling techniques while communicating those
business requirements with various stakeholders. The authors in this paper also review possible solutions for
those limitations which will form the basis for a more systematic investigation in the future.
KEYWORDS: Modelling, Tools, Business requirements, Policies, Analyst, Testing, Process, Quality
1. INTRODUCTION
There have been significant advances in the modelling theory and modelling tools in
practice within past few decades to provide clearer presentation of the required web system.
The success of web application development projects greatly depends upon the accurate
capturing of the requirements. The analysis of the business requirements and appropriate
modelling (of those requirements) leads to the correct design of the new system. The
analysis and design of the new system can be classified as one of the most complex human
activities since the analyst and designer need to intellectually identify the requirements,
cope with the complexity and develop a new system that can satisfy those elaborated
requirements.
Modelling helps us to understand the reality of the existing system applications and
processes and create newer reality in order to develop new systems [8]. Business Analyst
(BA) starts the process of gathering and modelling the requirements of the system. The
understanding and documentation of the BA is extended iteratively and incrementally into a
solution level design [9]. The modelling plays an important part in the System Development
Life Cycle (SDLC). Every model is an abstraction of reality [7]. The modelling tools
present the business requirements as a pictorial illustration that can be visually reviewed.
The generated model should enable the people (user, business (client) as well as the
development team (Analyst, Designer and Programmer)) to identify the problem, propose
solution, recognize the behavior of the system and plan how to implement the proposed
solution.
65
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
The introduction of an information system to an organisation results in changes to
their business processes, which in turn causes changes to the implemented information
system [3]. At the same time there are numerous concerns due to the limitation of the
current modelling techniques since various stakeholders can translate and understand these
pictorial and visual illustrations in various ways. In current modelling techniques, a minor
change in business requirements can also have a massive impact on the project specifically
if the analysis and design of the system are in the parallel mode and happen simultaneously.
These issues have massive impact on the quality of the developed system. This
paper discusses the factors that impact on business requirements and identify the limitations
of the current modelling techniques and provides the solution for those limitations.
2. COMMUNICATING BUSINESS REQUIREMENTS
Project planning facilitates and supports the development of web applications based on
corresponding business requirements and changes to those business requirements. In
order to assure the quality in SDLC, the people (internal and external) with various sociocultural backgrounds must have a similar understanding of the business requirements and
modelling techniques. This is so because almost always the requirements emerge as the
most important factor from the user’s viewpoint in terms of their perception of quality.
Requirements also play a crucial role in scoping, planning and executing the project. The
communication of business requirements has two main aspects. The first aspect is the
information loss during the communication and the additional changing factors (internal and
external) to original business requirements. Figure 1 present the flow of business
requirements and demonstrate the line of communication for the business requirements. The
business requirement can get lost or corrupted during this transformation.
Aspect 1- Information loss:
The Flow of Business Requirements in SDLC
System Users
Business Analyst,
Designer, Developer
and Test Team
Business
(Client)
Time and Budget
Developed System
Figure 1. The Flow of Business Requirements in SDLC
66
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
2.1. System Users
The user in computing context is classified as people who use a computer system in order to
perform their daily activities to complete a business process. The user of the technology
adds value to the business (client) by improving efficiency, reducing costs, increasing
revenue, and creating stronger relationships with organisation and their clients. The user has
a major impact on the business requirements in SDLC as they are end users of the system
under the development. The user can also be classified as the trigger for SDLC because
these people identify the shortcomings of the current business process. The user has impact
on SDLC before and after the product is developed.
2.2. Business (Client)
Business (client) as a structured and organized entity identifies the need for the new system
to increase quality and profit. In SDLC, business evaluates the need for the new system by
assessing the cost and time involved while determining the benefits such as improving the
profit and/or service. The business is in direct contact with the user in order to determine the
requirements and dictating them to business analyst. The business must have clear
understanding of the requirements and transfer them correctly in order to achieve the
maximum quality in SDLC.
2.3. Time and Budget
Time and budget plays a major role in SDLC specifically in the business requirements. The
time and budget change the scope of the project which impacts on the scope of the business
requirements by moving the less important requirements to the future phases of the project.
2.4. Business Analyst, Designer, Developer and Tester Team
Business analyst, designer, developer and tester team alongside of the business (client) must
ensure that they have the same level of understanding in all stages of the SDLC. This
quality assurance currently is achievable by running numerous workshops based on the
modelling document to make sure all the business requirements are captured and the
involved people are in the same level of understanding.
These numerous workshops are required because various people involved in the
project are coming from different background and the modelled requirements (UML, EPC,
OPEN…..) do not make sense to everyone. The consultants or business analyst must
translate the documents to the business as well as the developers to make sure everybody
has the same understanding of the created document.
2.5 Developed System
The developed system will go under intense testing for the quality assurance by the
qualified system tester, business and the users before entering the next cycle if required.
67
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
However, there are so many other issues that influence the quality of the project that
complicates the situation in SDLC such as rapid change of the business requirements.
Aspect 2- Additional factors changing the business requirements
Figure 2 presents additional factors that impact on business requirements mentioned earlier
and may lead to changes in these requirements. The organizational and Government
policies, roles and regulations might be known to the business (Client) as well as the
development team. The development team as well as the business analyst must be aware of
limitations of the technology and must have a good knowledge of the enterprise architecture
(architecture of the system). The business analyst is also responsible to inform the business
(client) if the requirements alter due to these issues. The architecture of the system also has
a big impact on performance of the system. In many cases, the business requirements can be
delivered but the existing architecture of the enterprise is unable to cope with the load and
as a result the system might crash.
The Dynamic Nature of the Business Requirements in SDLC
Organisation's
Government's
Policies, Roles and Policies, Roles and
Regulations
Regulations
Enterprise
Architecture
System Users
Business Analyst,
Designer, Developer
and Test Team
Business
(Client)
Limitation of
Technology
Time and Budget
Developed System
Figure 2. Other Factors Impacting the Business Requirements in System
Development Life Cycle
2.6. Government’s Policies, Roles and Regulations
The legal issues also play an important role in business requirements and it is the
responsibility of the business as well as the business analyst to identify those Government
policies. As an example, if company A wants to develop a system to sell a product to the
68
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
employee of the company B while the funds are transferred directly through the salary
office of the company B, the company A must ensure that the taxation office approves such
a transfer of funds.
2.7. Organisation’s Policies, Roles and Regulations
The internal roles and policies of the organisations are important factors in changing the
business requirements. Referring back to the previous example, what happens to the system
under development, if the company A has the policy of not having the right to keep the
details of the company B in their database? The business, business analyst and designer
must identify these issues to either find a solution or change the business requirements.
2.8. System Architecture of the Organisation
Every individual organisation has their own system architecture designed based on the level
of their non-functionality requirements such as performance, security, implementation,
maintenance and reusability. In relation to our previous example, if the company A must
reveal some data of the company B employee to the finance department while these data is
not stored in the Company A’s database due to the organisational policy. The business
requirements have to be changed hence the organisation’s role has not allowed the database
of the employee’s in company B to be registered inside the architecture of the Company A
system. The developed system must access the database (Holding the details of Company
B’s employee) outside of the firewall and forward it to the finance company. If the
Company B is not allowing the data to be stored outside of the firewall then the business
requirements has to be changed.
2.9. Limitation of Technology
The limitation of technology also has a major impact on the business requirements. The
business might have requirements while the technological capability does not exist. The
research and development contributing and identifying these limitations and provide the
solution based on these business requirements.
The request of a system users or the pressure on the organisation initiates a request for a
new system or the changes to an existing system. The user might identify the limitation of
the existing system (which could be classified as a need for any system) and at the same
time organisation might identify the need to change or create a new system based on the
existing weakness (internal to the organisation) and threats (external to the organisation).
The modelling must ensure that user requests are considered, the specific problem is
identified, the purpose and the objectives of the new system is clearly demonstrated and the
constraints in providing the solution to the business requirements have been registered. The
following section discusses the limitation of the current modelling techniques.
3. LIMITATION OF THE CURRENT MODELLING TECHNIQUES
Business requirements are modelled using the formalisms (such as UML activity,
class, use case implementation, communication and state diagrams) these definitions
69
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
can rarely be understood by key business stakeholders or even business analysts [1].
The current software development techniques such as Rational Unified Process
(RUP), Object-oriented Process, Environment and Notation (OPEN), Process
Mentor and SAGE-II play a crucial role in the success of web development projects.
However the following limitations were identified based on the existing literature
and authors experience working on the various projects [11] [12] [13] [14]. A new
modelling tool is needed for representation of requirements that is understood by
end users as well as system analyst and developers considering that UML does not
meet the capability and interest of end users while project lacks from incomplete
requirements validation [4]. This tool must be reliable, flexible, modifiable, reusable
and must be capable of transferring and communicating the complexity that is
understandable by every one. The observation and investigation of the current
modelling techniques in practice revealed that the current modeling techniques are
unable to fully capture the business requirements as well as communicating it to the
developers and the client. These limitations of the current modelling tools consist of
the followings:
1.
The current modelling tools are unable to present the overall view of the
required system.
The current modelling techniques do not provide a diagram to picture the overall
requirement of the system. The current existing diagrams demonstrate the piece or
one business process at a time considering that a system is supporting multiple
business processes. A minor change in business requirements might have a big
impact on architecture of the information changing all the created design. In the
current modelling tools, the analyst and designer can not easily trace and evaluate
the impact of any change on the remaining structure of the system.
2.
The purpose for some of modelling tools are not explained as an example
how an activity diagram helps the developer to create a system.
The current modelling diagrams are providing a pictorial illustration of an
individual task or a business process. The literature does not define how this
pictorial illustration will lead to coding a program. The diagrams facilitate to
breakdown the problem to smaller pieces and visually present them in order to just
communicate the business requirements. The literature does not identify how these
diagram leads and facilitates the developers to actually code a system.
3.
There is no testing on current modelling to understand whether the analyst
has captured the right functionalities. The testing only takes place after the
system is developed.
In the current SDLC, the analyst and designer capture the business requirements by
reading the available documentation and through intense discussion by business and
70
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
the system users. The result of the discussion and reading the documentation are
modelled in various ways that is not understandable by the business (client). The
business (client) must sign a document that is not easily understandable since they
are unfamiliar with the concept. The client realises the impact of the signed
document when the actual system is developed. There should be a mechanism in
place that business can run a test (on prototype) to make sure that the analyst and
designers have captured the correct requirements.
4.
Lack of proper standardisation leading to numerous workshops in order to
understand the functionalities.
In the current environment, there is not a unique way of capturing the business
requirements since the understanding of the people are different. These limitations
of the standards lead to the workshops and meetings to bring all the various
stakeholders in to the same level of understanding. The details of the created
documents in many ways can be translated only by the business analyst or the
person responsible for creating the documentation.
5.
Lack of understanding in which tool belong to which space. For example,
the activity diagram is part of problem or solution space.
There is a big ambiguity in understanding what tools belong to what phase of the
development life cycle. In other words, while capturing the business requirements
should the analyst just concentrate on analysis or at the same time they should
identify the solution.
6.
Lack of support in defining the non-functionality requirements.
There is a big misunderstanding in order to identify when capturing the functionality
requirements finishes and the non-functionality requirements starts. Currently, there
is no place to define the non-functionality requirements in the use cases. The nonfunctionality requirements should be added as an additional row in the use case
description.
7.
Lack of understanding on how these modelling techniques lead to coding.
The current modelling techniques facilitate to breakdown the problem into smaller
pieces while it is not very clear how it will lead to coding. The only available
diagram that actually leads to coding is the class diagram. The class diagram
depending on the maturity level can be divided in to Analysis class diagram and
Design class diagram. Identifying the classes and the relationship of those classes
can be classified as the Analysis class diagram. The completion of the attributes and
methods transfer the Analysis class diagram to the Design class diagram. The design
class diagram should clearly demonstrate the expected behaviour of the system and
remaining UML diagrams must show the behaviour of the system in various stages
71
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
of the web system development while the system is actually coded and it is
developed.
8.
The current modelling techniques do not prioritise the processes.
The prioritisation of the business processes specifically while re-engineering is
happening can be classified as the most crucial factor for the “success” and
“Failure” of the project. Majority of the re-engineering studies and projects mainly
deal with those core business processes that actually generate profit. The current
modelling techniques do not support these prioritisations. There should be a
mechanism in place to support ranking of the business processes and classify their
significance impact on development of the web system.
9.
Complexity of the process complicates the situation by producing a
confusing model.
The current modelling diagrams become more complicated as the project becomes
more complex. This creates more confusion for the involved parties (Business, user,
analysts, designers and developers). The complexity increases when the tools such
as Visio or Rational Rose can not support the length and complexity of the
document and have to move to the next page.
10.
There are no clear definitions as to which tool is better for which specific
project
There should be a unique way to understand which of the current modelling
techniques are better to address the specific project based on the complexity and
related tasks and activities.
Modelling should enable decision makers to filter out the irrelevant
complexities of the real world, so the effort can be directed toward the most
important parts of the system under study [2]. The above explanation identifies that
while various modelling tools have been used in the industry the maximum benefits
have never been achieved due to the explained limitations. The following section
provides some solutions for these current shortcomings of the modelling techniques
as far as the capturing of the business requirements are concerned.
4. ENHANCEMENT IN CAPTURING BUSINESS REQUIREMENTS
There have been numerous studies by [5] [6] [10] proposing various construction
processes to overcome problems while capturing the business requirements. The
correct capturing of the business requirements facilitate to make the correct
decision.
In order to minimize the errors while capturing the business requirements
and provide all stakeholders (with various backgrounds) with the similar
72
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
understanding of the captured requirements, the we have reviewed the following
possibilities.
1.
Create a prototype.
The pictorial modelling could be reduced if a prototype is created based on the
textual capture of the business requirements. The prototype could be enhanced as
more information is achieved. The business can see the sample of the product while
the developers can easily improve on the existing prototype to create the new
system. This solution is currently being used in agile software development
environment. In case of the complex system, the various prototypes can be created
for the sub-systems. The creation of the screen design allows the business to
understand all the needed attributes, commands and screen format are correct while
they can also evaluate the possible performance of the system.
2.
Identify when, and how information get lost or corrupted.
There should be a mechanism in place to identify how the information are getting
lost, misplaced or corrupted when they are transferred from user, business to the
development. The loss of information or developing a system based on the
corrupted information result in a system that is unable to perform the desired task
which eventually caused the failure of the project.
3.
Look at implemented mistakes (communication modes: text, hypertext,
images, animation, video and audio).
Recording the minutes, communications and meeting allows us to make sure the
right requirements have been captured. These requirements can then be translated in
the form of text, hypertext, images, animation, videos and audios to make sure the
correct requirements have been captured before moving to the design phase of the
new system.
4.
Trust within involved parties.
Trust also plays an important part amongst human interaction. Our life is based
upon our trust otherwise is almost impossible to survive in the society. Similar
pattern and procedure applies when the requirements are transferred. It is very
important for all parties to trust each other otherwise is almost impossible to
develop a new system capable of performing its desired task.
5.
Mixture of existing models.
The mixture of the existing modelling tools such as UML, OPEN, Process Mentor
and Business Process Management Notation (BPMN) might be able to cover the
limitation of the current individual modelling tools. Additional research and
73
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
investigation is required to understand whether this combination could address the
shortcomings of the current modelling techniques.
6.
Partitioning to sub problems.
Breaking down the problems and partitioning them into various sections allows the
modeller to have a better control over them. This technique might ensure that the
information is not lost, misplaced or corrupted. This fact can be achieved by
dividing the functional requirements in to various parts and create a dependency
document for further traceability.
7.
Identification of the similar patterns required in every system (User access
level, …).
The business analyst should identify the similar pattern required in every system and
manage to use them rather than creating those requirements from scratch. For
example, if a system needs a private webpage, the analyst should be able to use
Access Control functionality and modelling. The modelling should be capable for
providing the stakeholders with traceability in order to distinguish the functional
dependency.
5. CONCLUSIONS
The importance of the modelling was described in this paper followed by the important
aspects of the System Development Life Cycle (SDLC) as far as the capturing of the
business requirements are concerned. The limitation of the current modelling techniques
while presenting those captured requirements was identified. As a result of those identified
shortcomings of the modelling tools, some possibilities were reviewed. However, further
research is in progress to construct and re-construct the new modelling tools in real projects
within the various industries. The future research area is classified as followings:
1: Evaluate of various modelling techniques in real projects (UML, OPEN, Process
Mentor....) in order to demonstrate how they link to the proposed limitations.
2: Individually test each limitation against each modelling techniques.
3: Based on each identified limitations (on each modelling techniques) propose and test the
possible solutions in order to identify the need and develop new modelling technique.
4: Identifying the cost and feasibility of the solution.
5: Problem-specific decisions related to solutions.
6: Required enhancement and modifications acceptance.
7: How modelling could take place in terms of the information flow.
74
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
REFERENCES
[1] Dubray, J.J. (2007). “ Composite Software Construction). USA. C4Media Incorporation. ISBN:
978-1-4357-0266-0
[2] Giaglis, G. M., A “Taxonomy of Business Process Modelling and Information Systems
Modelling Techniques”. The international Journal of Flexible Manufacturing Systems, 13 (2001):
209-228. © Kulwar Academic publishers, Boston.
[3] Ginige, A. “Aspect Based Conceptual Modelling of Web Applications”. Proceedings of the 2nd
International United Information Systems Conference UNISCON 2008, Klagenfurt, Austria, April
2008. pp.123-134
[4] Kop, C. & Mayer, H. C., “Mapping Functional Requirements: from Natural Language to
Conceptual Schemata”. Proceedings of 6th IASTED International Conference Software Engineering
and Applications. Cambridge, USA. Nov 4-6, (2002),.PP. 82-88.
[5] Leite, J.C.S. & Hadad, G.D.S. & Doorn, J.H. & Kaplan, G.N., “A Scenario Construction
Process”, Journal of Requirements Egineering, Vol. 5 No. 1, 2000, Springer Verlag, , pp. 38–61.
[6] Rolland, C. & Achour, C. B., Guiding the Construction of Textual Use Case Specifications, Data
& Knowledge Engineering Journal, Vol. 25 No 1-2, 1998, North Holland Elsevier Science Publ., pp.
125–160.
[7] Teague, L. C. & Pidgeon, C. W. (1991). “ Structured Analysis Methods for Computer
Information Systems”. Macmillian Publishing Compnay. ISBN: 0-02-946559-1
[8] Unhelkar, B. (2005). “Practical Object Oriented Analysis”. Thomson Social Science Press. ISBN:
0-17-012298-0.pp: 15
[9] Unhelkar, B. (2005). “Practical Object Oriented Design”. Thomson Social Science Press. ISBN:
0-17-012299-9.pp: 3
[10] Zhu, H. & Jin, L., “Scenario Analysis in an Automated Tool for Requirements Engineering”,
Journal of Requirements Engineering, Vol. 5 No. 1, 2000, Springer Verlag, pp. 2 – 22.
[11] http://www-306.ibm.com/software/rational/offerings/ppm/. Downloaded: 2/07/2008
[12] http://www.processmentor.com/Architecture/Default.aspx. . Downloaded: 2/07/2008
[13] http://www.dialog.com.au/content/view/28/45/. Downloaded: 2/07/2008
[14] http://www.open.org.au/. Downloaded: 2/07/2008
75
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
76
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
DESIGN UNCERTAINTY THEORY - Evaluating Software System
Architecture Completeness by Evaluating the Speed of Decision
Making
Trevor Harrison1, Prof. Peter Campbell1, Prof. Stephen Cook1, Dr. Thong Nguyen2
1
Defence and Systems Institute, 2Defence Science and Technology Organisation
Contact: [email protected]
ABSTRACT
There are two common approaches to software architecture evaluation [Spinellis09, p.19].
The first class of evaluation methods determines properties of the architecture, often by
modelling or simulation of one or more aspects of the system. The second, and broadest,
class of evaluation methods is based on questioning the architects to assess the architecture.
This research paper details a third, more fine-grained approach to evaluation by assuming an
architecture emanates from a large set of design and design-related decisions. Evaluating an
architecture by evaluating decision making and decision rationale is not new (see Section 3).
The novel approach here is to base an evaluation largely on the time dimensions of decision
making. These time dimensions are (1) time allowed for architecting, and (2) speed of
architecting. It is proposed that progress of architecture can be measured at any point in time.
For example: “Is this project on track during the concept development stage of a system life
cycle?” The answer can come from knowing how many decisions should be expected to be
finalised at a particular moment in time, taking into account a plethora of human factors
affecting the prevailing decision-making environment. Though aimed at ongoing evaluations
of large military software architectures, the literature review for this research will examine
architectural decisions from the disciplines of systems engineering, information technology,
product management and enterprise architecture.
1 INTRODUCTION
The acceptance of software architecture as resulting from a set of design decisions is now
relatively well established. Worldwide, the efforts of six separate communities or researchers
have resulted in proposed updates to an IEEE standard and complementary tools to capture
software architecture decision rationale. A literature review has revealed two blind spots
though. Almost zero references to, and no appreciation of impact from those individual or
team factors and their effects on decision making identified by the psychology and sociology
sciences. (An assumption is made here that humans are making all architectural decisions.)
Another blind spot is the absence of alternative decision-making philosophies such as
heuristic-based architecting found in systems engineering, which recognizes architecting as
an eclectic mix of rationale and naturalistic decision-making methods. This research aims to
77
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
quantify the uncertainty surrounding performance of the decision-making process(es) by
modelling the range/distribution of possible legitimate times taken to finalise different types
of architectural decisions. This will qualify the uncertainty surrounding processes with
inherent variation, and have the capability to quantify a reduction in uncertainty.
Decisions, decision relationships, decision-making strategies, and factors affecting speed of
decision making will be modelled using agent based modelling and simulation. This choice
of modelling allows exploration of the decision interactions and their time dimension
sensitivities. The complex system under study is thus one of architecting. (The authors want
to avoid a “systems thinking disability” [Senge06, p.51] by pulling apart a small piece of a
complex decision-making system only to discover this has destroyed the very system under
study.)
The remainder of the paper is structured as follows: section 2 covers the two time
dimensions of decision making (timing and time period), sections 3 and 4 cover architectural
decisions in general, sections 5 and 6 cover speed of decision making, section 7 covers
modelling of everything in sections 2 through 6. Finally, a challenge to conventional
research methods is revealed in section 8.
2 SIGNIFICANCE OF TIME AND TIMING
Timing refers to the time window when it is most optimal to make a decision. Time period
refers to the optimal period of time to spend on decision making. Both time dimensions have
lower and upper bounds. Decision making outside of these bounds will incur different types
of penalties.
2.1 The Importance of Optimal Timing of Decisions – Avoiding Re-work
Even with a limited set of critical or high priority decisions, the order of decisions can change
the architecture [Rechtin00, p.130] i.e. inappropriate order could mean over-constrained
decisions later on. At first glance, this may speed up decision making by reducing choices
later on. However, schedule overruns in other engineering activities will occur to
compensate for architecture deficiencies. The early detection of decision-making happening
too fast is closely related to the estimation of time to spend on architecting activities.
2.2 The Importance of Optimal Timing of Decisions – Cost of Gathering Information
Quality of decision making is often dependent on the quality of information available to make
decisions. Utility graphs in [Williams09, Fig 2.4] show a cut-off point when the cost of
collecting information exceeds the benefit of quality decision outcomes. Such graphs
quantify a cut-off time for a decision(s) on the most effective solution to a problem, and/or
the choice of concept.
2.3 Optimal Time to Expend On Software Architecture
Regression analysis to calibrate the Architecture and Risk Resolution (RESL) scale factor
from the COCOMO II estimation model [Boehm03, p.221] confirmed the hypothesis that
78
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
proceeding into software development with inadequate architecture and risk resolution will
cause project effort to increase, and that the rework effort increase percentage will be larger
for large projects. Corresponding “sweet spots” have been identified for minimum delay
architecture investment, shown in Figure 1. Less time expended than, or greater time
expended than these “sweet spots” will result in re-work (thus schedule delay) to cater for
deficiencies in a software architecture. NOTE: the larger the size of the software system, the
larger time and effort should be expended in architectural design.
Figure1:MinimumEfforttoAchieveLeastReworkDuetoArchitecturalDeficiencies[Boehm03]
While useful for forecasting, the RESL factor is ineffective as a work-in-progress tracking
measure during the early days of concept definition in major defence projects; architectural
decisions are made at time when very little, if any, code is written. (In the next section, the
authors propose to replace forecasting of thousands lines of code with forecasting the
finalisation of hundreds of design and design-related decisions.)
2.4 Decision Time Lines from Product Management
“Time line” refers to a time period for which a decision outcome/choice is valid. Typically
for product management, this is the same as the “shelf life” for an individual technology
component. For example, for the choice of a personal computer for office use, the decision
time line is approximately three years before the decision needs to be re-visited. Under
Government contracts, protracted or belated decision-making will often shorten a decision’s
time line (because a requirements specification stays fixed).
3
ARCHITECTURE GENRES AND THEIR RECOGNITION OF
DECISIONS
79
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This section reviews three different types of architecture; enterprise architecture, systems
architecture and software architecture. The key message here is that there are many nontechnical, design-related decisions, which set the context for architectural design.
3.1 Design Decisions in Enterprise Architecture
Drafting of “IEEE (draft) Std P1694 – Enterprise Strategic Decision Management (ESDM)”
is underway to define a standard framework for the enterprise-level management of strategic
decisions. Many strategic decisions set the context for modelling efforts such as architectural
design. The top half of Figure 2 shows a Decision Network template covering
business/strategy decisions, while the bottom half of Figure 2 covers Platform Architecture
Management (PAM) decisions. A Decision Network provides a "50,000 foot" view of the
decision-making process. It serves to focus resources on the most critical decisions and
provides a higher level method of communication concerning a decision-making situation. A
Decision Network provides a set of decisions which serves as a high level decision roadmap
for the entire project. The roadmap provides an analysis plan that helps avoid the common
pitfalls of "diving into detail" and "analysis paralysis". [Fitch99, p.41].
Figure2:DecisionNetworkTemplatefromIEEEStd(draft)P1694whereeachbox/bulletisamajordecision
3.2 Design Decisions in Software Engineering
Kevin Sullivan was the first to claim that many software design decisions amount to
decisions about capital investment under uncertainty and irreversibility [Sullivan96, p.15].
(Uncertainty about future requirements and system-wide qualities in say 10 to 20 years time.)
Design decisions are like “call options”. To bind and implement a design decision is to
exercise an option – to invest in a software asset such as architectural design [Sullivan96,
p.16]. Thus a software architecture can also be viewed as portfolio of options. (There was
80
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
earlier pre-1996 research into decisions for software design, but, there was no recognition of
the time dimension i.e. appropriate timing of decisions.)
3.3 Design Decisions in Systems Engineering
An INCOSE 1996 conference paper [Novorita96] is one example of elevating decisions to be
an equally important artefact as requirements and design models. Novorita’s paper details an
information model underlying a systems development process. The intent of such an
information model is to improve the speed of communication between marketing and
engineering teams. Without such an information model, design information is inevitably
found scattered and duplicated across numerous documents, spreadsheets, PowerPoint slides
and support systems databases such as product help desks. The consequences of this are, for
example, pieces of design information that have no individual owner and no relationship
meta-data existing between the pieces of design information. Figure 3 shows decisions as a
major part of an information model, to bring all design information into one place.
Decisions
Risk
Mgt
Models
Req’s
Tasks
Plans
Documents
Figure3EssentialDatatoSupportRequirements– includesDecisions[Novorita96,Fig.3]
4 INTERCONNECTEDNESS AND INTERACTIONS AMONGST DECISIONS
“A phenomenon, sometimes acknowledged but rarely explicitly investigated is that decisions
interact with one another. “ [Langley95, p.270]
Previous section(s) took a static view of decisions. This section looks at the dynamics of
decision-to-decision relationships. Different types of relationships have different effects on
time, such as appearing to “speed up time” or “freeze time”. This is the first sign of
complexity.
The disciplines of Product Management and Enterprise Architecture have traditionally
revealed strong connections between non-design decisions and architectural decisions.
Architectural decisions for any product are closely linked with decisions about marketing
strategy, manufacturing capabilities and product development management [Ulrich99, p.142].
81
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
A more fine grained view of relationships amongst software architecture decisions
themselves is contained in an ontology by [Kruchten04], shown in Table 1. The names of
these relationships imply time dimension-related effects; time can either be speeded up, or,
time can be frozen.
Table1: Relationships Between Architectural Design Decisions [Kruchten04, pp. 4-6]
Type
Example/Explanation
constrains
“must use J2EE” constrains “use JBoss”
forbids
a decision prevents another decision being made
enables
“use Java” enables “use J2EE”
subsumes
“all subsystems are coded in Java” subsumes “subsystem X is coded in Java”
conflicts with
“must use J2EE” conflicts with “must use .Net”
overrides
“the communication subsystem will be coded in C++” overrides “the whole systems is developed
in Java”
comprises (is made of)
this is stronger than ‘constrains’
an alternative to
A and B are similar design decisions, addressing the same issue, but proposing different choices
is bound to
decision A constrains decision B and B constrains A
is related to
mostly for documentation and illustration reasons
dependencies
decision A depends on B if B constrains A
relationship to external artefact
“traces from” and “does not comply with”
Further research by [Lee08] has attempted to visualise the relationships in Table1.
4.1 Classification of Decision Relationships
There is apparently been no further research since the claim by Ann Langley et al that no
comprehensive theory of decision interconnectedness exists [Langley95, p.270]. Though not
attempting to develop such a theory, the journal article [Langley95] has attempted to work
relationships into a typology shown in Table2.
82
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Table2:TypesofLinkageBetweenDecisions[Langley95,pp.271273]
Sequential Linkages
Lateral Linkages
Concerning the same basic issue at
different points in time.
Dealing with a major issue involves sub
decisions.
Links between different issues being
considered concurrently.
Concurrent decisions are linked as
they share resources.
Nesting Linkage
Snowballing Linkage
Recurrence Linkage
Pooled Linkage
Contextual Linkage
Enabling linkage
Evoking linkage
Precursive Linkages
Cutting across different issues and
different times, as decisions taken on
one issue affect subsequent decisions
on other issues within the same
organization.
Pre-empting linkage
Cascading linkage
Merging linkage
Learning linkage
5 SPEED OF ARCHITECTING (SPEED OF DECISION MAKING)
“Truly successful decision making relies on a balance between deliberate and instinctive
thinking.” [Gladwell05, p.141]
This section presents another time dimension of decision making; speed. Similar to lower and
upper bounds for both time period and timing of decisions, speed of decision making also has
lower and upper limits. These limits vary from individual to individual human decision
maker.
5.1 Speed of Architecting viewed as Short Cuts
The word ‘heuristic’ means to discover. It is used in psychology to describe a method (often
a short cut) that people use to try to solve problems under extremes of complexity, time
pressure and lack of available information [Furnham08, p.116]. Heuristics applicable to
systems architecting are well documented [Maier09].
The field of cognitive systems
engineering [Rasmussen94] demonstrates that a mix of decision-making styles is valid. The
“Decision Ladder” in Figure 4 represents the set of generic subtasks involved in decision
making. States of knowledge are arranged in a normative, rational sequence. There are three
legitimate points in the decision-making process to expedite certain steps based on heuristics.
Heuristic shortcut connections are typical of a natural, not formalised, decision-making style.
Taking heuristic short cuts are heavily dependent on the individual architect’s knowledge,
experience and perspective [Curtis06].
83
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure4DecisionLadderwithHeuristicbasedShortcuts[Rasmussen94,p.65]
The more popular short-cuts utilised within software engineering are patterns and pattern
language. A pattern is a specific form of prescriptive heuristic. When a number of patterns
in the same domain are collected together, they can form a pattern language. The idea of a
pattern language is that it can be used as a tool for synthesizing fragments of a complete
solution [Maier09, p.41].
5.2 Speed of Architecting viewed as State Transitions
The state transition chart in Figure 5 clearly has potential for decision-making loops (and
therefore increasing uncertainty about achieving an optimal amount of time to invest in
architectural design) before a particular decision is accepted. A visualising framework called
‘Profuse’ has been used to visualise these particular state transitions over a time period
(known as “decision chronology”). The example in the right hand side of Figure 5 shows
three decision creation or activity sessions over a two-week interval. The state of the
decisions is denoted by the shape: Diamonds are ‘Idea’, circles are ‘Tentative’; and squares
are ‘Decided’.
84
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure5–DecisionChronologyofStateTransitions
Combining Decisions and
Factors Affecting Decision-Making
Other loops (iterations) are seen in development process models e.g. “requirements loop” and
“design loop” in systems engineering [Young01, p.133] e.g. “triple peaks” in software
engineering [Rozanski05, p.75].
5.3 Speed of Software Architecting viewed as Hierarchy of Impacts
Florentz & Huhn discuss “three levels of architectural decisions” for embedded automotive
software. These levels are based on the point in time at which decisions are made
[Florentz07, p.45]. The three layers are (1) top-level decisions, (2) high-level decisions, and
(3) low-level decisions. Top level decisions vary the least1. High level decisions are made
early on. Low level decisions, being the closest to system realization, vary the most i.e.
provide the basis of architecture variants. Both predictability and known impact increase
when moving from top-level decisions to low-level decisions.
5.4 Speed of Architecting viewed as Holistic Thinking
Research by Microsoft Federal Systems Consulting [Curtis06] found a wide variation in the
time to complete an architecture of IT Systems (data centres, servers, LANs and WANs).
Even in cases where similar IT systems were being designed by architects with the same
levels of knowledge and the same years of experience, time to achieve customer sign off for
an architecture varied from three months to 18 months. Investigations revealed the speed of
architecting was determined by an architect’s amount of “perspective”. ‘Perspective’ is the
ability to consider impacts of any design decision upon other parts or processes of a business.
The outcome of the Microsoft research has been the Perspective Based Architecture method.
The PBA method is a question-based approach to architecting consisting of 46 questions.
Similar to a Decision Network (e.g. Figure2), the focus of the PBA method is to help guide
1
Ahierarchybasedonprocessingratesoccurwithinanyecosystem[O’Neill86].Forexample,growthofa
forestoccursoverdecades,leafgrowthovermonths,whilephotosynthesisoccursdaily.
85
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
designers and product planners in how to consider non-design decisions which are critical to
the success of implementing any architecture.
5.5 The Speediest Decision Making – Unconscious Thinking
“Thin slicing” is one explanation for split second decision-making; those moments when we
know something without knowing why [Gladwell05].
For any architectural decision-making, there will be a certain amount of intangible design
decisions. Some architectural design is made without an associated issue or decision;
examples include "It worked for me last time", "first thing I tried at random", “taboo-based
decisions”, or just insights for which no connection can be identified.
6 ENVIRONMENTAL FACTORS AFFECTING SPEED OF DECISION
MAKING
Identified earlier in section 4, individual architectural decision attributes (e.g. ‘priority’) and
decision-to-decision relationships (e.g. ‘forbids’) are some of the factors that either constrain
or accelerate the speed of decision making. Many more speed-affecting factors can be found
amongst the sociology and psychology literature.
6.1 Factors of the Project Environment
All software and system architectural design effort is carried out in a project environment,
mostly within an organisation. In organisations, bias is manifest as a culturally engrained
behaviour that constrains decisions and actions to a fixed and limited set of perceptions and
responses [Whittingham09, p.2]. Figure6 highlights the influence of culture and leadership
on decision-making processes of a team.
Figure6AProjectEnvironment’sImpactonDecisionProcesses[Shore08,p.6]
Decisions concerning selection of an engineering solution may be significantly influenced by
biases – this factor has very little to do with the mechanics of an engineering solution.
6.2 Human Behaviour Factors
Prospect theory from psychology [Furnham08, p.127] explains both why we act when we
shouldn’t (things that should not have been done, but never the less were done), and why we
86
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
don’t act when we should (things that should have been done, but were not). The former
category can be considered inefficient decision-making, the later unreliable decision-making.
Both affect speed of decision making with a decelerating effect on speed. Inefficient decision
making (e.g. not using configuration control on diagrams) has an immediate but ‘gentle’
deceleration. Unreliable decision making (e.g. not using explicitly documented systempartitioning criteria) has a delayed but almost abrupt, “show stopper” deceleration.
A unique case study2 that has observed large software projects in-situ is [Curtis88]. Layer
upon layer of people interactions affect design decision-making and subsequent productivity
in a project. An accumulation of these effects can be represented in the “layered behavioural
model” in Figure7. The size and structure of a project determines how much influence each
layer has. A large project (such as those defence projects to be studied by this research) is
affected by all factors!
Figure7 LayeredBehaviorModel[Curtis88]
Most research into software architecture decisions has restricted itself to studying decision
making (1) at the ‘Individual’ level of the layered behavioural model in Figure7, and (2) postproject data gathering e.g. re-enactment of projects, e.g. recollections from project
participation. This is simply due to the practicalities of studying a large project in-situ. The
next two sections justify a synthetic, in-situ project simulation to get closer to a real decisionmaking environment, taking into account as many factors affecting speed of decision making
as possible.
2
[Glass03]writesfifteenyearslaterthatnosimilarcasestudyofprojectsinsituhasbeencarriedoutsince.
87
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
7
MODELLING
THE
UNCERTAINTY
ARCHITECTURAL DECISIONS
TO
FINALISE
“The safest conclusion to be drawn from descriptive studies is that there is no single
decision-making (or problem-solving) process. Mental activities vary enormously across
individuals, situations and tasks.” [Hodgkinson08, p.467]
For this research, the unquantifiable subject of observation is the architectural design
decision-making process(es) and the associated throughput. What has to be quantified
though, is the uncertainty of the time it takes to get through the decision-making process; that
is, a range/distribution of times to make all those decisions which together constitute a
architecture of a desired state of maturity.
The inherent variation in speed of decision-making illustrated in the previous sections points
towards a probability distribution function of all possible actual times when attempting to
match an optimal time to expend on architecture design. Figure8 is an envisaged output from
this research. It represents all possible decision-making completion times from 1st January to
31st December. The most likely date is 1st April. The date with a 50/50 chance of being true
is the 1st May. There is a 0% probability of completing all decision making prior to 1st
January. It is the distribution that is the extent of (design) uncertainty.
Figure8 – TheDistributionistheUncertainty
7.1 Agent Based Modelling and Simulation
To an observing outsider, the whole business of architecting is shrouded in uncertainty and
complexity. To make any kind of generalisation or theory (to make a first step in
understanding the complex system that is ‘architecting’) requires an ensemble of project
instances [Macal08, p.14]. These instances must preserve many human factors and decisionto-decision relationships. Small adjustments of theses should be enough to provide the
randomness/stochastic nature of human decision making.
A computational model run thousands of times, representing thousands of in-situ projects,
shall be used to produce a distribution envisaged in Figure8. To re-iterate, it is the distribution
of possible time periods to finalise all architectural decision-making that is the uncertainty.
88
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
At the time of writing, an agent-based model [Miller07, Ch.6] appears best suited to
modelling decision makers (agents), the decisions (also agents), decision interconnectedness
& interactions, and the human behaviour factors & human environment factors impacting
speed of decision making.
8 RESEARCH METHODS
A research method suited to understanding is required. One must understand the complex
system of architecting before deciding what action to take regarding a time sensitive,
decision-based evaluation of an architecture.
8.1 Research Methods Suited to Research of Decision Making in Project Environments
The primary limitation of the software architectural design research case studies in the
literature review is the sample size of each study. Most of these studies compared or
examined less than ten participants performing software design; thus the external validity of
these studies is weak [Zannier05, p.4]. Furthermore, with the sample size being small, it is
highly likely those samples are not representative of the larger population of architects and
designers. As a consequence any results cannot be said to be statistically relevant.
For the study of complex systems such as ecosystems, valid research can only be obtained
from observations conducted “out in the wild” and not in a test tube, lab or zoo. The
equivalent of “out in the wild” for architectural design decision-making is inside a project
that is ‘in situ’. Unfortunately, the timeframe for the main author participating in a live
project together with researched participants is not within the time frame of a PhD.
The research method will thus have to consist of an artificial, computational model of a
project in situ, with the ability to quickly & cheaply modify synthetic human factors and
human environmental factors to see their effects on the speed of and consequent time period
for decision making. This is to be buttressed with discussions with architects, and, attempts
at decision data gathering from any software or system architecture development undertaken
at local Universities.
9 SUMMARY
This research paper has adopted the stance that architectural design is decision making, and
uncertainty pervades all design. (Architecting in major projects is about predicting the future;
if I design the system thus, how will it behave? [Hazelrigg98, p.657]) There is additional
uncertainty surrounding the varying speed of architecting/decision making; this variation is
inherent to numerous human factors affecting decision-making methods. Complexity arises
from changes in the interrelatedness and interconnections of decisions themselves as time
progresses. Modelling all this uncertainty is to be carried out using agent based modelling
and simulation – a technique already used to understand complex systems where many
components interact. The understanding will be a distribution of the legitimate time periods
for architecting and timing of decisions. The first envisaged application is knowing whether
a project is on track during the conceptual design stage of the system or product lifecycle
89
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
undertaken within large projects. The benefits arising from viewing architectures as a set of
decisions is evaluation by all stakeholders, technical and non-technical.
10 REFERENCES
Boehm, Barry, and Turner, Richard (2003), Balancing Agility and Discipline: A Guide for the
Perplexed, Addison-Wesley Professional.
Curtis, Bill, Herb Krasner and Neil Iscoe (1988), A Field Study of the Software Design Process for
Large Systems, Communications of the ACM, November 1988, Volume 31, Number 11.
Curtis, Lewis , and Cerbone, George (2006), “The Perspective-Based Architecture Method”, The
Architecture Journal, Journal No. 9, October 2006, Microsoft Developer Network (MSDN)
http://msdn.microsoft.com/en-us/architecture/bb219085.aspx , accessed November 2008.
Fitch, John (1999), Structured Decision-Making & Risk Management, Student Course Notes, Systems
Process Inc.
Florentz, B., and Huhn, M. (2007), Architecture Potential Analysis: A Closer Look inside Architecture
Evaluation, Journal of Software, Vol. 2, No. 4, October 2007.
Furnham, Adrian (2008), 50 Psychology Ideas You Really Need to Know, Quercus Publishing Plc.
Gladwell, Malcolm (2005), Blink: The Power of Thinking without Thinking, Penguin Books.
Glass, Robert (2003), Facts and Fallacies of Software Engineering, Addison-Wesley.
Hazelrigg, G.A. (1998), A Framework for Decision-Based Engineering Design, Journal of
Mechanical Design, December 1998, Vol. 120.
Hodgkinson, Gerald P., and Starbuck, William H. (2008), The Oxford Handbook of Organizational
Decision Making, Oxford University Press, USA.
Kruchten, Philippe (2004), An Ontology of Architectural Design Decisions in Software Intensive
Systems, Proc. of the 2nd Workshop on Software Variability Management, Groningen, NL,
Dec. 3-4, 2004.
Langley, Ann et al (1995), Opening up Decision Making: The View from the Black Stool,
Organization Science, Vol. 6, No. 3, May-June 1995.
Lee, Larix and Kruchten, Philippe (2008), A Tool to Visualize Architectural Design Decisions, QoSA
2008, Lecture Notes in Computer Science, pp. 43–54, Springer-Verlag.
Maier, Mark W., and Rechtin, Eberhardt (2009), The Art of Systems Architecting, Third Edition, CRC
Press.
Miller, John H., and Page, Scott E. (2007), Complex Adaptive Systems: An Introduction to
Computational Models of Social Life, Princeton University Press.
Novorita, Robert J. and DeGregoria, Gary L. (1996), Less is More: Capturing The Essential Data
Needed for Rapid Systems Development, INCOSE 96 Systems Conference, July 1996, Boston.
90
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
O’Neill, R.V. et al (1986), A Hierarchical Concept of Ecosystems, Princeton University Press.
Rasmussen, Jens, Annelise Mark Pejtersen, and L.P. Goodstein (1994), Cognitive Systems
Engineering, Wiley-Interscience.
Senge, Peter (2006), The Fifth Discipline, 2nd Revised edition, Random House Books.
Spinellis, Diomidis, and Gousios, Georgios (2009), Beautiful Architecture, 1st Edition, O'Reilly
Media, Inc..
Rechtin, Eberhardt (2000), System Architecting of Organizations – Why Eagles Can’t Swim, CRC
Systems Engineering Series.
Rozanski, Nick and Eóin Woods (2005), Software Systems Architecture: Working With Stakeholders
Using Viewpoints and Perspectives, Addison-Wesley Professional.
Shore, Barry (2008), Systematic Biases and Culture in Project Failures, Project Management Journal,
December 2008, Vol.39, No. 4, pp.5-16.
Sullivan, Kevin J. (1996), Software Design: The Options Approach, Joint proceedings of the second
international software architecture workshop (ISAW-2) and international workshop on multiple
perspectives in software development (Viewpoints '96), pp.15 – 18.
Ulrich, Karl T. (1999), Product Design and Development, McGraw-Hill Inc.,US; 2nd Revised edition
edition.
Whittingham, Ian (2009), Hubris and Happenstance: Why Projects Fail, 30th march 2009,
gantthead.com,.
Young, Ralph R. (2001), Effective Requirements Practice, Addison-Wesley.
Zannier, Carmen, and Maurer, Frank (2005 ), A Qualitative Empirical Evaluation of Design
Decisions, Human and Social Factors of Software Engineering (HSSE) May 16, 2005, St.
Louis, Missouri, USA
BIOGRAPHY
Trevor Harrison's research interests are in software systems architecture and knowledge
management. His background is in software development (real-time information systems),
technology change management and software engineering process improvement. Before
studying full-time for a PhD, he spent 6 years with Logica and 11 years with the Motorola
Australia Software Centre. He has a BSc(Hons) in Information Systems from Staffordshire
University and an MBA (TechMgt) from La Trobe University.
Prof. Peter Campbell is the Professor of Systems Modelling and Simulation and Research
Leader in the Defence and Systems Institute (DASI) at the University of South Australia from
2004 and founding member of the Centre of Excellence for Defence and Industry Systems
Capability (CEDISC), both of which have a focus on up-skilling government and defence
industry in complex systems engineering and systems integration. He currently leads the
design for the simulation component of the DSTO MOD funded Microcosm program and is
91
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
program director for two other DSTO funded complex system simulation projects. Through
mid 2007, he consulted to CSIRO Complex Systems Science Centre to introduce complex
system simulation tools to support economic planning of agricultural landscapes.
92
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
PROCESS IMPROVEMENT
93
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
94
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
APPLYING BEHAVIOR ENGINEERING TO PROCESS
MODELING
David Tuffley, Software Quality Institute, Griffith University
Terry Rout, Software Quality Institute, Griffith University
Nathan, Brisbane, Qld. 4111, AUSTRALIA
[email protected] | [email protected]
Abstract: The natural language used by people in everyday life to express themselves is often
prone to ambiguity. Examples abound of misunderstandings occurring due to a statement
having two or more possible interpretations. In the software engineering domain, clarity of
expression when specifying the requirements of software systems is one situation where
absence of ambiguity is important. Dromey’s (2006) Behavior Engineering is a formal
method that reduces or eliminates ambiguity in software requirements. This paper seeks an
answer to the question: can Dromey’s (2006) Behavior Engineering reduce or eliminate
ambiguity when applied to the development of a Process Reference Model?
INTRODUCTION
Behavior Engineering has proven successful at reducing or eliminating the ambiguity
associated with software requirements (Dromey, 2006). But statements of software
requirements are not the only kind of artefact developed in the software engineering domain
that need to be clear and unambiguous. Process Reference Models (PRM) is another category
of software development artefact that might also benefit from being clear and unambiguous.
A Process Reference Model is a set of descriptions of process entities defined in a form suited
to the assessment and measurement of process capability. PRMs have a formal mode of
expression as prescribed by ISO/IEC 15504-2:2003. PRMs are the foundation for an agreed
terminology for process assessment (Rout, 2003).
The benefits of a method for achieving greater clarity are twofold: (a) PRM developers would
gain from improving the efficiency of process model development, and (b) users of process
models would benefit by achieving a clearer understanding of the underlying intention of a
process which then serves as a consensus starting point for determining how a process might
be applied in their own case. This paper therefore examines the ability of Behavior
Engineering to disambiguate a particular PRM currently being developed.
This paper illustrates how Dromey's Behavior Engineering method (2006) can be used to
disambiguate process models, making the resulting model clearer and easier to understand. It
is suggested that this method has broader applicability in the Software and Systems
Engineering domains. The paper examines in detail how Behavior Engineering has been
applied in practice to a specific Process Reference Model developed by the authors. Before
and after views are given of several process outcomes that had already passed through three
previous reviews to remove ambiguity. The Behavior Engineering analysis results in evident
improvements to clarity.
95
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
In a more general sense, it is suggested that this method may be helpful to the modelling of
processes at both project and organisational levels, including project-level processes, highlevel policy documents, and project agreements.
WHAT IS BEHAVIOR ENGINEERING?
Overview
Essentially, Behavior Engineering is a method for assembling individual pieces to form an
integrated component architecture. Each requirement is translated into its corresponding
‘behavior tree’ which describes unambiguously the precise behaviors of this particular
requirement (Glass, 2004). The ‘tree’ is built up from (a) components, (b) the states the
components become, (c) the events and decisions/constraints associated with the components,
and (d) the causal, logical and temporal dependencies associated with the component (Glass,
2004).
When each component is modelled in this way, and then integrated into a larger whole, a clear
pattern of intersections becomes evident. The individual components fit together like a jigsaw puzzle to form a coherent component architecture in which the integrated behavior of the
components is evident. One component establishes a precondition for another component to
perform its function and so on. This allows a software system to be constructed out of its
requirements, rather than merely satisfying its requirements (Glass, 2004).
Duplications and redundancies are identified and removed, for example, when the same
requirement is expressed twice using different language in different places. Another benefit is
that requirements traceability is managed with greater efficiency by creating traceable
linkages between requirements as they move towards implementation.
Historical context
The practices now described as behavior engineering evolved from earlier work in which an
approach for clarifying and integrating requirements for complex systems was developed
(Dromey, 2001). This remains a significant application of the approach (Dromey, 2006);
however, as the technique evolved, it became apparent that it could be applied to more general
descriptions of systems behavior (Milosevic and Dromey, 2002). To date, some preliminary
exploration of applying the technique to the analysis and validation of process models has
been undertaken.
The OOSPICE Project (Stallinger et al, 2002) had the overall aim of improving time-tomarket, productivity, quality and re-use in software development by focussing on the
processes and technology of component-based software development (CBD). OOSPICE
combined four major concepts of software engineering: CBD, object-oriented development,
process assessment and software process improvement. Its objectives were the definition of a
(a) unified CBD process metamodel, (b) a CBD assessment methodology, (c) resulting in
component-provider capability profiles, and (d) a new CBD methodology and extensions to
the ISO/IEC 15504 Information Technology: Process Assessment. Joint Technical Committee
IT-015, Software and Systems Engineering (2005).
96
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
A key part of the OOSPICE was the definition of a model of coherent processes addressing
the issues of component-based development; the process model was strongly aligned to
ISO/IEC 12207 Standard for Information Technology-Software Life Cycle Processes (1998),
but incorporated significant additional processes that specifically addressed CBD issues. The
process model was developed following the approach of ISO/IEC 12207, with a series of
structured activities and defined tasks. Additional detail on input and output work products
was also specified for each activity.
The process model was examined using the behavior tree method in order to assess its
consistency and completeness. The behavior tree analysis was highly successful; a total of 73
task level problems, 8 process level problems and numerous task integration problems were
identified. In addition, examples were found where fragments of tasks were identified which
subsequently have no integration point with the larger process tree – a weakness caused by
unspecified or inconsistent task inputs or outputs.
An indicative example of the behavior tree method applied to a single process is shown below
(explanation of notation given later):
5.2.3.1
Proposal for New/Changed
Software
[Available]
5.2.3.1
Statement of Requirements
[Written]
5.2.3.1
Statement of Requirements
? [Agrees to] Sponsor ?
5.2.3.1
Statement of Requirements
[Available]
5.2.3.2
Statement of Requirements
?Available?
5.2.3.2
User Requirements
[Expressed]
5.2.3.2
User Requirements
?Comprehensive?
5.2.3.2
User Requirements
?NOT: Comprehensive?
5.2.3.2
User Requirements
[Available]
5.2.3.2
User Requirements ^
[Expressed]
5.2.3.5
User Requirements
?Available?
5.2.3.3
User Requirements
?Available?
5.2.3.5
Change Request
[Submitted]
5.2.3.3
Statement of Requirements
?Available?
5.2.3.5
Configuration Management
[Request Processed]
5.2.3.3
Traceability Report
[Available]
5.2.3.1
Statement of Requirements
? NOT: [Agrees to] Sponsor ?
5.2.3.4
No inputs specified
5.2.3.4
Applicable Standards
[Determined]
Figure 1 – Behavior Tree Analysis – OOSPICE Process Model
Figure 1 shows the integrated tree resulting from analysis of a single process. It clearly shows
missing (dark shaded 5.2.3.1, 5,2,3,4) and "implied" but unstated elements (light shaded,
5.2.3.1, 5.2.3.3, 5.2.3.5), and also a failure in integration, resulting in lack of overall
consistency (Ransom-Smith, McClung and Rout, 2002). The medium-shaded boxes were
unchanged.
97
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Encouraged by success on OOSPICE, the technique was subsequently applied to the review
of the Capability Maturity Model Integration (V 1.2) (Chrissis, Konrad and Shrum, 2003).
This work was undertaken in the context of a review of drafts of the SEI’s Capability
Maturity Model Integration (CMMI) V1.2, and the results formed the basis of requests for
change submitted to the SEI; given resource constraints, it was not possible to apply the
technique to support the complete review, but where problems were seen to exist, an analysis
was conducted.
Figure 2 is indicative of how the technique helped to clarify an ambiguity in the specification
of the Requirements Development Process Area in CMMI:
PA157.IG101.SP101.N101
PA157.IG101.
SP101.N101
PLC: Project Life Cycle
PA157.IG101.
SP101.N101
STAKEHOLDER
{Customer}
PA157.IG101.
SP101.N101
PA157.IG101.
SP101.N101
?
ALL PLC activities are
addressed by the
requirements. how do I
show that in the model
PA157.IG101.S
P101.N101
) Requirement+ (
) Requirement# (
Requirement#
addresses :> PLC Activity+
PA157.IG101.
SP101.N101
PLC Activity#
PA157.IG101.
SP101.N101
PLC Activity#
has impact on :> product
PA157.IG101.
SP101.N101
Requirement#
has impact on :> product
OR
Text could mean either of
these two
Figure 2 – Behavior Tree Analysis – Requirements Development Process Area
Given the potential identified in these two applications of the approach, it seemed logical to
apply the Behavior Tree approach to the larger task of verifying a complete model. The
subject of the current study is a specification for a set of organizational behaviors, specified in
terms of purpose and outcomes of implementation, which would support and reinforce
effective leadership in organizations, and particularly in integrated and virtual project teams.
Applying Behavior Engineering to a complete model
From the discussion above, it might reasonably be hypothesised that given the parallels
between process model and software system requirements (sets of required behaviors and
attributes expressed in natural language) that Behavior Engineering may prove useful in
verifying a process reference model.
LEADERSHIP PROCESS REFERENCE MODEL PROJECT OVERVIEW
The leadership of integrated virtual teams is a topic in the software engineering domain that
has received little attention until a project to develop such a process reference model was
undertaken by the Software Quality Institute.
The topic is an important one, considering the increasing trend in a globalised environment
for complex projects to be undertaken by virtual teams. The challenges of bringing any
98
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
complex project to a successful conclusion are multiplied by the coordination issues inherent
in virtual environments.
The Leadership Process Reference Model (PRM) is being developed using a Design Research
(DR) approach (Hevner, 2004). DR is well-adapted to the software engineering domain, and
IT development generally, being used to good effect by MIT’s Media Lab, Carnegie-Mellon’s
Software Engineering Institute, Xerox’s PARC and Brunel’s Organization and System Design
Centre (Vaishnavi and Kuechler,2004/5).
In this project, DR is applied in the following way, consistent with Hevner’s guidelines:
x
x
x
x
x
x
A designed artefact is produced from a perceived need, based on a comprehensive
literature review.
A series of review cycles follow in which the artefact is evaluated for efficacy by a
range of stakeholders and knowledgeable persons and progressively improved. In
this project, five reviews are performed.
The first and second reviews involve interviews (four interviews per round) with
suitably qualified practitioner project managers. These validate the content of the
PRM.
The third review applies ISO/IEC TR 24774 Software and systems engineering -Life cycle management -- Guidelines for process description (2007) to achieve
consistency in form and terminology of PRMs in the Software Engineering
domain.
The fourth review applies Dromey’s Behavior Engineering to the draft PRM.
The fifth review is by an Expert Panel comprised of recognized experts in the field
of PRM-building.
APPLYING BEHAVIOR ENGINEERING TO VERIFY PRM
In this project, Behavior Tree (a subset of Behavior Engineering) verification is applied as the
fourth (of five) reviews. Behavior Tree analysis could have been applied at any stage. The
circumstances of this particular project determined that the Behavior Tree analysis
verification was performed towards the end, not the first or last review stage.
Being the second last review, it might be construed that the number and extent of changes that
resulted from applying BE is an indication of its efficacy as a model verification tool. The
previous three reviews notwithstanding, Behavior Tree analysis resulted in a significant
number of changes. Indeed, most of the process outcomes needed to be reworded for clarity.
Unnecessary qualifiers were removed, conjoined outcomes were split into two, each
concerned with a single clear point.
Behavior Engineering is comprised of a series of related activities, performed in a broad
sequence, beginning with the Behavior Tree and followed by the Composition. With the space
available, this paper concerns itself with the Behavior Tree component of the broader
Behavior Engineering process.
99
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
BEHAVIOR TREES – FIVE W’S (AND ONE H)
The Behavior Tree approach is based on the systematic application, with associated formal
notation, of the principle of comprehensive factual description of an event known as the Five
W’s (and one H) whose origins extend back to classical antiquity. In the 1st Century BC,
Hermagoras of Temnos quoted the 'elements of circumstance' as the loci of an issue (Wooten,
1945):
Quis, quid, quando, ubi, cur, quem ad modum, quibus adminiculis
(Who, what, when, where, why, in what way, by what means)
In the modern world, this dictum has evolved into who, what, when, where, why and how.
This principle is widely recognised and practiced in diverse domains such as journalism and
police work, indeed almost anywhere that comprehensive and unambiguous description of
events or attributes is needed.
Translated to the Software Engineering domain, who, what, when, where, why and how
becomes Behavior Tree Notation. This is a branched structure showing component-states. The
table below shows the application of the Behavior Tree aspect of BE in which each distinct
component is described in terms of who, what, when, where, why and how, or the subset of
these six descriptors that is applicable to this particular component.
Behavior Trees are therefore defined as a formal, tree-like graphical device that represents
behavior of individuals or networks of entities which realize or change states, make decisions,
respond-to/cause events, and interact by exchanging information and/or passing control
(Dromey, 2002). Naming conventions, elements and syntax are illustrated below:
Table 1: Variable naming conventions (Dromey, 2007b)
Table 2: Elements of a Behavior Tree node (Dromey, 2007b)
100
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure 3: Behavior Tree Node concrete syntax example (Dromey, 2007b)
FUNCTIONAL REQUIREMENT TO BEHAVIOR TREE – INFORMAL TO FORMAL
Functional requirement. When a car arrives, if the gate is open, the car proceeds, otherwise
if the gate is closed, when the driver presses the button, it causes the gate to open.
Behavior Tree. Translating the above statement into Behavior tree is illustrated below:
Figure 4: Functional requirement to Behavior Tree notation (Dromey, 2007a)
101
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
REMOVING AMBIGUITY
Statement: The man saw the woman on the hill with a telescope. This statement can be
interpreted at least three different ways, a situation not uncommon with natural language. The
developer must determine which interpretation is valid.
Figure 5: Resolving ambiguity using Behavior Tree notation (Dromey, 2007a)
In this example, the application of BT notation clarifies the statement by establishing the
precondition (that the woman is located on the hill) from which the primary behavior can then
be distinguished (that the man saw the woman by using the telescope).
APPLYING BEHAVIOR TREE NOTATION TO A PROCESS MODEL
The left-hand column of the table below shows the outcomes of the V0.3 PRM before
applying the Behavior Tree notation. The Behavior Tree component column is what results
from applying the who, what, when, where, how and who (or subset) using formal notation,
from which a clear, simple restatement of the outcome can be derived, as shown in the third
column. Note that the material removed from the outcome is not discarded, but relocated to
the Informative Material section (not shown) where it serves a useful purpose for persons
seeking a fuller understanding of the outcome. Refer to the Rationale for Change for
discussion on specific improvements made by applying Behavior Tree notation.
In general terms, the improvements derived from the application of BT is greater clarity and
economy of words (eg. in first example below 17 words in V0.3 becomes 8 in V0.4 by
rephrasing ‘what is to be accomplished’ to simply ‘goal(s)’ and removing the qualifier
‘ideally seen as an accomplished fact’ to the informative section. BT highlighted where and
how these economies of expression could be made by applying the process illustrated in
Figure 5 to remove ambiguity; in other words the more informal language of V0.3 was
rendered into formal language in V0.4 PRM.
102
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
An advantage of BT notation here is that it provides a rigorous, consistently applied editorial
logic for people without qualifications and/or much experience as editors. An experienced
editor may achieve the same results without BT notation, anyone else would arguably benefit
from its application.
Behavior
Tree Component
V0.3 PRM
V0.4 PRM
Rationale for
change
FIRST EXAMPLE
Leader creates a
shared vision of what
is to be
accomplished, ideally
seen as an
accomplished fact.
Leader clearly
communicates the
shared vision with
team, ideally seen as
an accomplished fact.
Leader facilitates
strong commitment
in team to achieving
the shared vision,
encouraging
resilience in the face
of goal frustrating
events.
New outcome in
V0.4
Leader develops a
concrete and
achievable set of
goals that support
achievement of the
shared vision.
Leader creates a shared
vision of the goal(s).
1.1.1
LEADER
(creates)
what
SHARED VISION/
(of)
GOAL(S)
1.1.2
LEADER
(communicates)
what
SHARED VISION/
(of)
GOAL(S)
1.1.3
LEADER
(gets)
what
COMMITMENT /
(to)
SHARED VISION/
(of)
GOAL(S)
1.1.4
LEADER
(encourages)
what
RESILIENCE /
(in)
TEAM
when
GOALFRUSTRATING
EVENTS
1.1.5
LEADER
(develops)
what
OBJECTIVE(S) /
(to)
ACHIEVE
what
GOAL(S)
Goal(s) not ‘what is
to be accomplished’
Remove
qualification (ideally
seen as an
accomplished fact) to
Informative Material
Leader communicates
the shared vision of the
goal(s) with the team.
Goal(s) included
Leader gets
commitment from team
to achieving the goal(s).
Create a new
outcome about
resilience (it should
be a stand-alone
outcome rather than
a qualification of the
commitment to goals
outcome.
Leader encourages
resilience in team when
goal-frustrating events
occur.
New outcome
focussing on the
important issue of
resilience in the face
of goal-frustrating
events
Leader develops
practical objective(s) to
achieve the goal(s).
Practical objectives
support the
achievement of the
goal(s)
Remove
qualification
altogether redundant
Change ‘shared
vision’ to ‘goals’
since the objectives
derive directly from
the goals.
SECOND EXAMPLE
Leader consistently
displays integrity,
characterised by
1.2.1
Leader behaves with
integrity
LEADER
(behaves)
103
Remove qualifiers to
the informative
section
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
trustworthiness, and
adherence to
principle
Leader consistently
displays competence,
characterised by
technical,
interpersonal,
conceptual and
reasoning skills
what
INTEGRITY
1.2.2
LEADER
(behaves)
what
COMPETENCE
Leader behaves
competently
Remove qualifiers to
the informative
section
Leader provides teammembers with ondemand synchronous
high-resolution
communications media
Rename ‘richlytextured’ to ‘hi-res’
(a more common
term)
THIRD EXAMPLE
Leader provides
richly-textured
communications
media for team
members to use ondemand.
3.4.1
LEADER
(provides)
who
TEAMMEMBERS
when
ON-DEMAND
what
HIGH-RES ICT /
/ (that
is)
SYNCHRONOUS
Add ‘synchronous’
as appropriate
Reorder the sentence
to be subject-verbobject.
FOURTH EXAMPLE
Leader allocates
project requirements
before team members
are recruited to verify
the integrated team
structure is
appropriate to goals.
2.3.1
LEADER
(verifies)
what
TEAMSTRUCRURE/
/ when
RECRUITING
TEAMMEMBERS
(before)
how
Leader verifies team
structure before
recruiting teammembers by allocating
project requirements
Restructure sentence
to place emphasis on
correct aspects (this
outcome is primarily
about verifying the
team structure’)
Leader develops highcapability selfmanaging performance
functions where
complex tasks are
performed
asynchronously
Reword to simplify.
ALLOCATING
REQUIREMENTS
FIFTH EXAMPLE
Leader develops
higher capability selfmanagement
functions early in the
project lifecycle
where complex tasks
are performed
asynchronously in
virtual environments
(i.e. where temporal
displacement is
high).
3.5.2
LEADER
(develops)
what
PERFORMANCEFUNCTIONS
/ (that
are)
SELFMANAGING /
/ (and)
HIGHCAPABILITY
when
COMPLEX
TASKS /
/(are
perf)
ASYNCHRONOUSLY
Take ‘early in
project’ and put in
Informative section.
Table 3: Applying behavior tree notation to a process model
The Behavior Tree notation analysis was performed by the first named author after receiving
around 60 minutes of training from Professor Dromey. The data shown in Table 3 is a
104
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
representative subset of the review done on the V0.3 PRM. As an indication of the defect
density, this version of the model contained 24 processes with 63 outcomes collectively.
Almost all outcomes were changed in some way as a result of the analysis. The kind of
defects found and fixed is represented in the table above.
Defects are identified when the notation is applied, beginning with the main entity (leader in
most cases), a verb that describes what the entity does (eg. develops, or verifies, or provides
etc), and followed by the specific what, or who or when etc as makes sense for each outcome
in order to build up a complete unit of sense. This process goes beyond simple editing
however. When applied rigorously to the process model, a high-degree of consistency and
clarity of expression is achieved. Even with competent editors, other process models (eg.
OOSPICE and CMMI as discussed earlier) do not achieve this level of consistency and
clarity.
The analysis of the 24 processes and 63 outcomes took around six hours to perform, including
the documenting of the analysis using the kind of table seen above (with PRM before and
after, notation and rationale for change).
CONCLUSION
The approach to specifying processes in terms of their purpose and outcomes was developed
in the course of evolution of ISO/IEC 15504 (Rout, 2003) and is arguably a key innovation in
the approach to process definition and assessment embodied in the Standard. By viewing a
process (or collection of processes) in this way, it becomes clear that the outcomes represent
the results of desired organizational behavior that, if institutionalised, will result in
consistently achieving the prescribed purpose. The approach redirects the analysis of process
performance from a focus on conformance to prescribed activities and tasks, to a focus on
demonstration of preferred organizational behavior through achievement of outcomes.
Given this, it is logical to see that the application of the Behavior Tree approach to the
analysis of such process models will be effective. The earlier studies reported here were of a
much smaller scale than the current study, which embraces the full scope of a comprehensive
model of organizational behavior. The aim in applying the approach was to provide a more
formalised verification of the integrity, consistency and completeness of the model than
conventional approaches – based generally on expert review – could achieve.
It may therefore be seen from Table 3 above that applying Behavior Tree notation to the draft
outcomes of a process reference model produced significant improvement to the clarity of the
outcomes by simplifying the language, reducing ambiguity and splitting outcomes into two
where two ideas were embodied in the original.
It is suggested, based on the evidence outlined above, the Behavior Engineering is a useful
tool for model-builders in the domain of model-based process improvement. It reinforces the
claims that the technique is a superior tool for the verification of complex descriptions of
system behavior.
105
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
REFERENCES
Chrissis, M.B., Konrad, M., & Shrum, S., (2003). CMMI Guidelines for Process Integration
and Product Improvement. Addison-Wesley, Boston.
Dromey, R.G. (2001) Genetic Software Engineering - Simplifying Design Using
Requirements Integration, IEEE Working Conference on Complex and Dynamic Systems
Architecture, Brisbane, Dec 2001.
Dromey, R.G. (2002). From Requirements To Design – Without Miracles, Whitepaper
published by the Software Quality Institute. Available:
http://www.sqi.gu.edu.au/docs/sqi/gse/Dromey-ICSE-2003.pdf (accessed 13 April 2009)
Dromey, R.G. (2006). Climbing Over the 'No Silver Bullet' Brick Wall, IEEE Software, Vol.
23, No. 2, pp.118-120.
Dromey, R.G. (2007a). Principles for Engineering Large-Scale Software-Intensive Systems
Available: http://www.behaviorengineering.org/docs/Eng-LargeScale-Systems.pdf (accessed
14 April 2009) pg 39.
Dromey, R.G. (2007b). Behavior Tree Notation Available:
http://www.behaviorengineering.org/docs/Behavior-Tree-Notation-1.0.pdf (accessed 10 June
2009) pg 2-3.
Glass, R.L. (2004). Is this a revolutionary idea or not?, Communications of the ACM, Vol
47, No 11, pp. 23-25.
Hevner, A., March, S., Park, J. and Ram, S. (2004). Design Science in Information Systems
Research. MIS Quarterly 28(1): pp 75-105.
ISO/EIA 12207 (1998) Standard for Information Technology-Software Life Cycle Processes.
This Standard was published in August 1998.
ISO/IEC 15504 (2003) Information Technology: Process Assessment. Joint Technical
Committee IT-015, Software and Systems Engineering. Part 2 Performing an Assessment.
This Standard was published on 2 June 2005.
ISO/IEC TR 24774 (2007). Software and systems engineering -- Life cycle management -Guidelines for process description. This Standard was published in 2007.
Milosevic, Z., Dromey, R.G. (2002) On Expressing and Monitoring Behavior in Contracts,
EDOC-2002, Proceedings, 6th International Enterprise Distributed Object Computing
Conference, Lausanne, Switzerland, Sept, pp. 3-14.
M. Ransom-Smith, K. McClung and T. Rout, (2002) Analysis of D5.1 – initial CBD process
model using the Behavior Tree method. Software Quality Institute report for the OOSPICE
Project, December 4.
Rout, T.P. (2003) ISO/IEC 15504 - Evolution to an International Standard, Softw. Process
Improve. Pract; 8: 27–40.
106
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Stallinger, F., Dorling, A., Rout, T., Henderson-Sellers, B., Lefever, B., (2002) Software
Process Improvement for Component-Based Software Engineering: An Introduction to the
OOSPICE Project, EUROMICRO 2002, Dortmund, Germany, April.
Vaishnavi, V. and Kuechler, W. (2004/5). Design Research in Information Systems January
20, 2004, last updated January 18, 2006. URL:
http://www.isworld.org/Researchdesign/drisISworld.htm Authors e-mail: [email protected]
[email protected]
Wooten, C.W. (2001) The orator in action and theory in Greece and Rome. Brill (Leiden,
Boston).
107
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
108
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
SAFETY MANAGEMENT
AND
ENGINEERING
109
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
110
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
BRINGING RISK-BASED APPROACHES
TO SOFTWARE DEVELOPMENT PROJECTS
Felix Redmill
Redmill Consultancy
London UK
INTRODUCTION
The history of software development is strewn with failed projects and wasted resources.
Reasons for this include, among others:
•
•
•
•
•
•
Failure to take an engineering approach, despite using the epithet ‘software engineering’;
Focus on process rather than product;
Failure to learn lessons and use them as the basis of permanent improvement;
Neglect to recognise the need for high-quality project management;
Reliance on tools to the exclusion of understanding first principles; and
Focus on what is required without consideration of what could go wrong.
If change is to be achieved, and software development is to become an engineering discipline,
an engineering approach must be embraced. This paper does not attempted to spell out the
many aspects of engineering discipline. Rather, it addresses the risk-based way of thinking
and acting that typifies the modern engineering approach, particularly in safety engineering,
and it proposes a number of ways in which a risk-based approach may be incorporated into
the structure of software development.
Taking a risk-based approach means attempting to predict what undesirable outcomes could
occur in the future (within a defined context) and taking decisions – and actions – to provide
an appropriate level of confidence that they will not occur. In other words, it uses knowledge
of risk to inform decisions and actions. But, if knowledge of risk is to be used, that
knowledge must be gained, which means acquiring appropriate information.
In safety engineering, such an approach is essential because the occurrence of accidents
deemed to be preventable is not considered acceptable. (As retrospective investigation almost
always shows how accidents could have been prevented, this often gives rise to contention,
but that’s another matter.) In the security field, although a great deal of practice is carried out
ad hoc, standards are now based on a risk-based approach: identifying the threats to a system,
determining the system’s vulnerabilities, and planning to nullify the threats and reduce the
vulnerabilities in advance.
However, in much of software development, the typical approach is to arrive at a product
only by following a specification of what is required. Problems are found and fixed rather
than anticipated, and consideration is seldom given to such matters as the required level of
confidence in the ‘goodness’ of any particular system attributes.
A risk-based approach carries the philosophy of predicting and preventing, and this is an asset
both in the development of products and the management of projects. This paper therefore
111
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
proposes some first steps in creating a foundation for the development of such an approach in
software development and project management. The next section briefly introduces the
subject of risk, and this is followed by introductions to two techniques, used in risk analysis,
which are applicable in all fields and are therefore useful as general-purpose tools.
Subsequent sections offer thoughts on the introduction of a risk-based approach into the
various stages of software development projects.
It is hoped that the explanations offered in this paper are easily understandable, but they do
not comprise a textbook. Risk is a broad and tricky subject, and this paper does not purport to
offer a full education in it.
NOTES ON RISK
Risk exists in every situation in which we find ourselves and arises from every decision and
action that we take. Because of this, we are all practiced risk managers. But our familiarity
with risk is intuitive rather than conscious, and:
•
•
•
Our successes in intuitive risk management are mostly in simple situations;
Our failures are usually not sufficiently serious to warrant conscious assessment, and we
perceive them to be the result of bad luck rather than deficient risk management; and
Our intuitive risk-management processes are, mostly, not effective in more complex
situations, such as development projects and modern technological systems.
Psychologists have shown that our perception of risk is influenced by a number of factors, all
of which are strongly subjective. They include:
•
•
•
•
•
Whether the risk is taken voluntarily or not;
Whether we believe ourselves to be in control or not;
The level of uncertainty;
The value of the prize for taking the risk; and
Our level of fear.
Engineering risk analysis employs two factors: the probability of a defined undesirable event
occurring within a defined time period, and the potential consequences if it did occur. As both
lie in the future, neither can be determined with certainty, and the derivation of both must
include subjectivity. However, given appropriate information, both are estimable.
The key is information. In its absence, estimates of probability and consequence can be no
more than guesses (as they often are in project ‘risk workshops’). The importance of adequate
information cannot be over-emphasised. If there is to be confidence in risk estimates, there
must be confidence in the estimates of probability and consequence. And these, in turn,
depend on information in which there is confidence, i.e. information from trusted sources,
and sufficient of it to warrant the level of confidence that is required or claimed.
A great part of risk analysis is, therefore, the acquisition of an adequate amount of
information to provide the basis for risk estimates that are appropriate to the circumstances.
But what is appropriate to the circumstances? This question is answered by considering such
factors as the costs of getting it wrong, the level of confidence needed in the estimates, and
the costs in time and resources to achieve a given level of confidence. The greater the
importance of the enterprise, the more important it is to derive high confidence in risk
estimates, so the more important it is to acquire an appropriate amount of information of
112
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
proven pedigree. Yet, thoroughness in acquiring appropriate information is often thwarted by:
•
•
An intuitive belief that we understand risk better than we do; and
Over-confidence in our ability to estimate by quickly ‘sizing-up’ (i.e. guessing).
Project ‘risk workshops’, sometimes held to ‘identify’ project risks, do not do the trick –
unless we are content with extremely low confidence. But once such a workshop has been
held, many project participants, including management, are unaware of its inadequacy and
believe its results.
There is never a good excuse for failing to collect adequate information, for analysis of an
adequacy of the right information almost always disproves pre-held beliefs. It is always wise
to be suspicious of our preconceptions. A saying that is attributed, unreliably, to many
different authorities makes the point: ‘It ain’t so much the things we don’t know that get us in
trouble. It’s the things we know that ain’t so.’
Just as important as obtaining accurate risk values is the process of thinking that makes use of
them. Risk-based thinking does not focus attention only on what we want to achieve; it also
tries to determine what risks lie ahead, what options we have for managing them, how to
decide between the options, and then what actions to take.
In well understood situations, risks may be addressed intuitively, by reference to experience
or documentation. Or, rules for the management of previously experienced risks may be
created. Indeed, risk-management mechanisms are built into the processes considered integral
to traditional project management. But such devices flounder in novel or complex
circumstances, or when project managers, often because of inexperience or pressure from
management, cut corners by eliminating, changing, or failing to enforce processes or rules
whose origin and purpose they don’t understand.
When risky situations are well understood, it may be possible to make risk-management
decisions quickly and with confidence, without needing to obtain and analyse further
information. But when a situation is not well understood, it is essential to be more formal.
Then, the search for information needs to focus on sources that are relevant to the purpose of
the study and on what contributes to improved understanding of the risks. The level of
confidence that may be claimed in results depends on the pedigree of the sources.
TWO GENERAL-PURPOSE TECHNIQUES
In safety engineering, various techniques for directing the search for relevant information
have been designed and developed. In this section, two are described. Their application is not
restricted to the field of safety; they are useful in most situations, including software
development and project management.
Guidewords
Often we talk glibly about ‘failure’, as though it can occur in only one way. But there may be
many ways of failure (many failure ‘modes’) and, crucially, each failure mode carries
different potential consequences. One technique, Hazard and Operability Studies (HAZOP –
see Redmill et al (1999)), is based on the use of ‘guidewords’, each of which focuses
attention on a possible failure mode. By using a guideword to raise questions on its associated
mode of failure, information is gathered on both the mode of failure’s likelihood of
occurrence and its potential consequences.
113
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
A generic set of guidewords, with universal application, is presented in Table 1. In some
cases they may need interpretation, depending on the circumstances. For example, ‘No’ may
need to be interpreted as ‘None’ or ‘Never’; ‘As well as’ many need to be interpreted as
‘More’ when applied to an amount (say, of data), ‘Too long’ in the context of a time interval,
or ‘Too high’ when applied to a rate of data transmission. It is this flexibility that makes the
guidewords universal; without it, they would appear specific to certain situations.
Table 1: Guidewords and their Definitions
Guideword
No
As well as
Part of
Other than
Early
Late
Before
After
Definition
No part of the design intent is achieved
All the design intent is achieved, but with something more
Some of the design intent (but not all) is correctly achieved
None of the design intent is achieved, but something else is
The design intent is achieved early, by clock time
The design intent is achieved late, by clock time
The design intent is achieved before something that should have preceded it
The design intent is achieved after something that it should have preceded
As a simple example of the application of guidewords, consider the production (by a
software-based system) of an invoice. It is immediately clear that reference to ‘failure’ is
vague, for there are many ways in which it may be faulty, and Table 2 shows the use of
guidewords in identifying them.
Table 2: Use of Guidewords in Identifying and Examining Invoice Production Failure Modes
Guideword
No
Mode of Failure
No invoice is produced
As well as
Invoice contains additional items for which
the customer is not responsible
Invoice contains only some of customer’s
items
A document other than the invoice
(perhaps another customer’s invoice) is
produced
Invoice is produced before all work is done
Part of
Other than
Early
Late
Before
After
Invoice is produced after it should have
been
Not relevant
Not relevant
Potential Consequences (not exhaustive)
Customer suffers no loss but may lose
confidence in company.
Company fails to collect payment.
Customer loses confidence and may cease to
do business with the company.
Customer may lose confidence in company.
Company does not collect full payment.
Customer loses confidence and may cease to
do business with the company.
Company does not collect payment.
A further invoice has to be produced.
Customer may be confused.
Payment is collected late. If systematic,
company suffers cash-flow problem
Once the credible modes of failure and their potential consequences have been identified,
further investigation may be carried out to determine the value of each failure mode to a
defined stakeholder (in this case, the customer or the company). For example, we may be
interested to determine what events might result in the loss of a customer (or customers in
general), or what could lead to the company not being paid, or to a customer experiencing
unacceptably low quality of service. Then, the actions taken would be to ensure that the risk
of occurrence of such events is low – for example by improving reliability through design,
strengthening the management and quality of development, being more rigorous in testing, or
improving the monitoring of operation.
114
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Used judiciously, these guidewords can facilitate identification of failure modes in just about
any situation; they comprise a general-purpose tool. And, as seen from the above example,
the steps taken to reduce the likelihood of failure, or to achieve quality, are not necessarily
changed by taking a risk-based approach; rather, those steps are directed more effectively.
Fault Trees
Another universally applicable technique is fault tree analysis. In this method, a single ‘top
event’ is selected and top-down analysis is carried out to identify its potential causes. First,
the immediate causes are identified, as in the example shown in Figure 1. In this example, the
top event would result from any one of the potential causes, so they are linked to it by the
logical OR function.
Car fails
to start
OR
No petrol
delivered
No oxygen
delivered
Battery
problem
Electrical
fault
Other
causes
Figure 1: An example fault tree (to first-level causes)
In some cases, the occurrence of the top event would require the concurrence of two events,
so they would be linked to it by a logical AND function, as in Figure 2. Clearly, reliability is
improved if failure requires two (or more) simultaneous events rather than a single event, so
the fault tree may be used to inspire a solution as well as an analysis tool. Indeed, this is the
principle of redundancy, which is mostly used in hardware replication, but also, in some
cases, in software.
Loss of
power
AND
Mains
fails
Generator
fails
Figure 2: A fault tree with causes linked by AND
Once the immediate causes have been determined (see Figure 1), their (the second-level)
potential causes are determined. For example, the failure to deliver petrol to the engine may
be because there is none in the tank or its transmission from the tank is impeded, which in
turn may result from a blockage, a leak, or a faulty pump. The battery problem may be that
the battery is discharged (flat) or that the electrical connection is faulty. Then the third-level
causes are determined, and so on, until a full analysis is completed. In systems in which
115
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
probabilities of causes are known from historic data (for example, electromechanical systems
the reliabilities of whose components are recorded), calculations may be made to arrive at a
probability of occurrence of the top event. However, such results are not always accurate and
can be misleading.
Used qualitatively, the fault tree is a valuable tool in many situations. For example, it may be
used to model the ways in which a project might have an unsuccessful outcome – and, thus,
provide guidance on ways in which this could be avoided. It is traditionally said that there are
three principal ‘dimensions’ of a project – time, budget, and to specification – so that project
failure is defined in terms of any one of the three. So, if each of these is taken as a top event,
the resulting fault trees would reveal the ways in which a project could fail. Deriving such
fault trees for an entire project would result in too large a number of contributing causes, and
be too vague for specific instances – though the causes that they throw up could be built into
project management checklists. However, such fault trees could be useful if derived for the
ends of project stages, or at defined milestones. Figure 3 shows an example of first-level
causes for time overrun at the first project milestone. These, and the results of next-level
causes may be used as indicators of essential project-management responsibilities.
Like guidewords, a fault tree is a tool of universal application, which may be employed to
advantage in most risk analyses. This brief introduction neither explains every detail of fault
tree creation not presents its difficulties. A fuller account is given by Vessely et al (1981).
Time overrun at
first milestone
OR
Project
started late
Project
authority
delayed
Planning too
optimistic
Necessary
documents
unavailable
Delay in
creating
project
team
Unexpected
delays
Team lacks
necessary
skills
Other
causes
Figure 3: A Fault Tree of First-level Causes of Time Overrun at the First Project Milestone
RISK ANALYSIS AT THE OBJECTIVES STAGE OF A PROJECT
A thorough risk analysis consists of a number of activities:
•
•
•
•
•
•
Identifying the hazards that give rise to risk;
Collecting information to enable an estimate to be made of the likelihood of each hazard
maturing into an undesirable event;
Collecting information to enable an estimate to be made of the potential consequences if
the undesirable event did occur;
Analysing the information to derive estimates of likelihood and consequence;
Combining the estimates to arrive at values of the risks arising out of the hazards; and
Assessing the tolerability of each risk.
116
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
In safety engineering, and in other fields when the stakes are high, each of these activities
must be carried out so as to provide high confidence in the results (indeed, the two techniques
described above are used in the first four of these activities). However, it is not always
necessary to be so thorough. Nor is it always possible to be, for there are times when
sufficient information is not obtainable (e.g. at the early stages of a new disease, and in the
early days of climate-change debate). The following two generalisations may be made:
•
•
The thoroughness of a risk analysis and confidence in its results are constrained by the
availability of appropriate information; and
The necessity for thoroughness is usually dependent on the criticality of the situation.
An instance when detailed information is unavailable is at the Objectives stage of a project,
when product details have not been designed and only strategic proposals have been made.
Yet, at this point, carrying out a risk analysis is invaluable, for it can identify risks that could
lead to project failure and huge consequential losses. Indeed, the report into the London
Ambulance Service (1993) showed that failure to consider the risks, particularly early in the
project, was instrumental both in awarding the contract to replace the service’s allocation
system to an unsuitable company and in the total failure of the project.
The value of analysis at the Objectives stage may be exemplified by a proposal for a
hospital’s patient-records system, the objectives of which might be stated by management as
being to:
•
•
•
•
•
•
Store the clinical and administrative records of all patients;
Provide physicians with rapid access to patients’ medical histories;
Provide the means of updating patients’ records with diagnoses, prescriptions, and illness
histories;
Provide nurses with rapid access to treatment and dosing specifications;
Provide management with means of documenting, accessing and analysing all patient
transactions, both medical and administrative;
Produce invoices for services provided to patients.
These objectives are defined from the perspectives of some of the system’s stakeholders,
specifically the hospital’s management and medical staff. Typically, and importantly, they
state what they require of the system – which amounts to the creation and updating of
records, storage, provision of access, and the output of analysed information – all database
and information-system facilities. The objectives do not reveal the difficulties involved in
attempting to meet the stated goals or the risks attached to the failure of any of them. Yet, as
revealed by the London Ambulance Service Inquiry, understanding such risks at this early
stage is crucial. Deeper scrutiny reveals that a slow system would not be used by doctors (a
fact not considered until too late by those responsible for the UK’s health systems), that the
loss of records would result in the hospital not being paid for services, that nurses and
administrators should not have access to full patient records, that if dosing information were
corrupted patients’ lives would be threatened, and that unauthorized access could result in
breaches of safety. Moreover, the safety risks are to the patients who, though at the heart of
the system, are not mentioned in the objectives except by allusion. From these observations,
it becomes apparent that the system should not only meet its functional requirements but also
be highly available, secure and safe.
Such revelations are likely to be daunting to management who supposed their system to be a
simple one. They should lead management to recognize the need for appropriate expertise in
its specification, design, development and implementation – and, if the development project
117
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
is to be contracted out, in contracting and management of the project.
A risk analysis at the objectives stage facilitates:
•
•
•
•
The clarification of objectives;
The early detection of the implications of – and, importantly, the risks thrown up by – the
stated objectives;
The detection of conflicts between objectives; and
The definition of objectives that should have been defined but weren’t.
In addition to facilitating better definition of objectives, a risk analysis at this stage throws up
the need to take decisions about the future of the clarified objectives. For example, when
management comes to understand that project risks include safety, will they want to proceed
with the project as defined? In some cases they wouldn’t. Options for action provided by
analysis of the objectives include:
•
•
Cancelling some objectives. This may be done, for example, because it is realized that
their implementation would take too long, would require the use of technologies that are
untried or for which we possess no expertise, or would carry risks (e.g. safety risks) with
which we do not wish to be involved.
Cancelling the project. This may be done if the risks exemplified in the previous point
were carried by the core objectives.
And, if it is decided to proceed, that is to say, to accept the risks, the analysis provides the
basis for defining:
•
•
Requirements, to be included in the specification, for the appropriate management of the
identified risks; and
Special testing requirements for the risk management aspects of the design and, later, the
product.
This combines risk-based and test-based approaches, and thus offers a new and deeper way of
raising confidence in the ultimate success of both the project and the product.
A risk analysis also provides information for the credentials required of (and, thus, for the
selection of) a contractor, if development is to be contracted out – a point emphasised in the
London Ambulance System Inquiry (1993).
RISK ANALYSIS AT THE SPECIFICATION STAGE
At the Objectives stage, there is little detailed information about an intended project, so both
the objectives and the identified risks are mostly at a strategic level. But, as a project
progresses, more detail is introduced at every stage, and this has two major effects:
•
•
It allows more thorough identification and analysis of risks; and
It is likely to introduce further risks.
Thus, risk analysis should be carried out when the principal product of each stage has been
completed. For example, when the specification has been developed, a risk analysis should
serve at least four purposes. First, it should identify and analyse new risks introduced by the
functional requirements. Often these appear straightforward, but if, for example, they invoke
a domain, such as safety or security, with which the developers are unfamiliar, or if they call
118
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
for a level of system or functional integrity not previously achieved, the risks involved should
be recognized and the implicated requirements given special design considerations.
Second, it should identify and analyse new risks introduced by the non-functional
requirements. Often these are assumed to accor with what is ‘normal for such systems’ or at
least technologically possible. But they should be carefully assessed. The required response
times, load capabilities, and reliability may not easily be achievable, or not achievable at all
to the staff employed to develop the system. Analysts should also identify the absence of
necessary non-functional requirements – a frequent deficiency in specifications.
Third, it should identify and analyse the risks introduced by any constraints placed on the
product or the project. Examples are: unfamiliar technologies, software and hardware
platforms, and systems with which the system must be integrated, time allowed for testing.
Fourth, the analysis should be used to determine if requirements have been specified for the
mitigation of the risks identified at the Objectives stage.
It is sensible also to identify requirements that do not contribute to any of the objectives.
Although they may add value for some stakeholders, they do not add strategic value (at least,
not according to the project’s defined strategic intent) and are likely to cause time over-run.
Given the results of the analysis, options for risk-based action include:
•
•
•
Cancel risky requirements – which requires re-consideration of the objectives;
Contract the project, or parts of it, to others with appropriate competences and experience;
and
Accept the risks and plan their mitigation, e.g. by planning and implementing changes to
the constitution and competence of the development team, by designing risk-reduction
measures into the design, and by defining controls in operational procedures.
Thus, the project now proceeds with the purpose not only of meeting the specified
requirements, but also of mitigating identified risks and, thus, avoiding problems that could
otherwise have occurred. Not to carry out a risk analysis and take appropriate actions results
in the unrecognised risks maturing into project and product problems and, thus, leading to
time over-run, budget over-spend, unsatisfactory products, or total project failure – examples
of all of which abound.
RISK ANALYSIS AT THE DESIGN STAGE
When a design has been completed – whether architectural or detailed – it should be
examined from two risk-based perspectives. First, a technical check should be made to ensure
that it provides features that reduce the previously identified risks to tolerable levels. This
check should trace a path through all previous risk analyses back to the Objectives stage.
Each time an identified risk was accepted, requirements for mitigating it should have been
introduced, and those to be met in the design should now be verified. The check should also
establish whether any risk-mitigation requirements are to be effected by operational
procedures, and if so, it should confirm that their design is not neglected.
Second, a study should be undertaken to determine what risks the design introduces into the
operational system or into the project. Typically, the rationale of a design is that it should
meet the functional and non-functional requirements. But what if a failure should occur
during operation (e.g. of a function or a component)? In some cases, the resulting loss may be
119
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
deemed unimportant; in others, it may be catastrophic. So, by carrying out a meticulous study
of a design – say, using HAZOP and its guidewords, or fault trees, as discussed earlier – not
only are the risks identified, so are the most critical aspects of the system. Actions that follow
may then include:
•
•
•
•
Making design modifications for risk reduction, e.g. introducing redundancy or protection
functions, or even just error messages;
Informing the software development teams of the most critical functions so that they can
apply their most rigorous processes (including appropriate staff) to them;
Defining test requirements for the risk-reduction functions and, more generally, providing
information to inform risk-based testing; and
Defining operational procedures to ensure that the risk-reduction and risk-management
measures are effective and, if necessary, to introduce further risk management.
RISK-BASED TESTING
For well known reasons, exhaustive software testing is not possible in finite time and, if it
were, it would not be cost-effective. Planned testing must therefore be selective. But on what
basis should selection be made? It makes sense to carry out the most demanding testing on
the most important aspects of the software, that is, where the risks attached to failure are
greatest. But how might this be done systematically?
Normally, derivation of a risk value requires estimates of both consequence and likelihood.
However, though the consequence of failure of a defined service provided by the system may
be estimated, there is no information on which to base an estimate of the service’s probability
of failure prior to testing the relevant software. Yet there are ways in which a risk-based
approach can achieve, or at least improve, both effectiveness and efficiency in testing.
First, a ‘single-factor’ analysis may be conducted, based on consequence alone, on the basis
that if the consequence of failure of a service is high then the probability of failure is desired
to be low. On the assumption that testing – followed by effective fixing – reduces the
probability of failure, estimates of the consequences of failure of all the services provided by
a system may be used to determine the rigour of testing of the items of software that create
those services. Of course, it cannot be proved that the probability of failure has been reduced
to any given level, but a relationship between severity of consequence and rigour of testing
can be defined for a project. This technique carries the major advantages that:
•
•
Sufficient information is usually available for consequence to be determined accurately,
provided that analysts meticulously seek it out; and
Both the consequence analysis and the resulting test planning can be done in advance of
development of the software itself, so it is a strategic technique.
Many testers believe that they already carry out this type of risk-based test planning, but they
are usually undone because they fail to take the trouble to collect the information necessary
for making sensible consequence estimates. Confidence in an estimate can only be justified if
it is supported by an adequacy of relevant information. And, as pointed out earlier, deep
investigation of data almost always disproves preconceptions.
Second, since estimates of the quality of software may be made, by observation and historic
information, prior to testing, a single-factor analysis may be based on quality as a surrogate
for probability. Confidence in quality estimates cannot be as high as those in consequence,
and such estimates cannot be made until the software has been produced and inspected.
120
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
However, quality estimates may be used as a tactical technique late in a project – for
example, to provide a basis for planning the reduction of testing because of the lack of time.
Third, even if test planning has been based on a consequence-based analysis, a quality-based
analysis can later be used to offer confidence in decisions on reducing or re-prioritising
testing as time runs out. In this case, one might refer to ‘two-factor’ analysis.
The scope of this paper allows only this brief introduction to the possibilities of risk-based
testing, but the author has provided fuller details elsewhere (Redmill 2005).
SUMMARY
Traditionally, the culture in software development projects is to focus wholly on the
production of what has been specified. The result is that risks that might have been foreseen –
and mitigated – unexpectedly give rise to problems that throw projects off course and lead to
defective – and, in some cases, unusable – products. Modern engineering thinking, on the
other hand – particularly in domains such as safety and security – is to take a predict-andprevent approach by taking account of risks early. This entails carrying out risk analyses and
basing risk-management activities on them, so as to reduce the likelihood of undesirable
events later. This paper proposes the introduction of a risk-based approach into software
development and project management.
The paper outlines what such an approach implies and goes on to explain ways in which it
can be implemented. It describes key aspects of two risk-analysis techniques employed in
safety engineering, shows that they can in fact be used in all situations, and briefly
demonstrates their application in software development projects. It then shows how risk
analysis can be used at the various stages of projects, in particular at the Objectives,
Specification, and Design stages. Carrying out risk analyses at these points provides options
for developers, from strategic management at the Objectives stage to design decisions later
on. It offers the opportunity to make changes in response to the acquired knowledge of risks:
to cancel a project, or parts of it, to change requirements and adjust the specification, and to
build risk-reduction features into the design. Further, by the early identification of critical
system features, it also presents the opportunity for early planning of their testing.
Further, the paper offers an overview of ways of carrying out risk-based testing, by using
knowledge of risks to inform test planning and execution.
This paper is not a final manifesto, or a textbook. It only introduces the subject of risk-based
thinking. However, it is felt that the principles proposed could bring improvements to
software development and project management and take these disciplines a step closer to
embracing an engineering approach and culture.
REFERENCES
London Ambulance Service (1993). Report of the Inquiry into the London Ambulance
Service. South West Thames Regional Health Authority, UK
Redmill F, Chudleigh M and Catmur J (1999). System Safety: HAZOP and Software HAZOP.
John Wiley & Sons, Chichester, UK
Redmill F (2005). Theory and Practice of Risk-based Testing. Software Testing, Verification
and Reliability, Vol. 15, No. 1
Vessely W E, Goldberg F F, Roberts N H and Haasl D F (1981). Fault Tree Handbook. U.S.
Nuclear Regulatory Commission, Washington DC, USA
121
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
122
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
MODEL-BASED SAFETY CASES
USING THE HiVe WRITER
Tony Cant, Jim McCarthy, Brendan Mahony and Kylie Williams
Command, Control, Communications and Intelligence Division
Defence Science and Technology Organisation
PO Box 1500, Edinburgh, South Australia 5111
email: [email protected]
Abstract
A safety case results from a rigorous safety engineering process. It involves reasoned
arguments, based on evidence, for the safety of a given system. The DEF(AUST)5679
standard provides detailed requirements and guidance for the development of a safety case.
DEF(AUST)5679 safety cases involve a number of highly inter-related documents; tool
support is needed to manage the process and to maintain consistency in the face of change.
The HiVe Writer is a tool that supports structured technical documentation via a centrallymanaged datastore so that any documents created within the tool are constrained to be
consistent with this datastore and therefore with each other. This paper discusses how the
HiVe Writer can be used to support safety case development. We consider the safety case
for a fictitious Phased Array Radar Target Illuminator (PARTI) system and show how the
HiVe Writer can support hazard analysis for the PARTI system.
1
INTRODUCTION
Safety critical systems are those with the potential to cause death or injury as a result of accidents arising from unintended system behaviour. For such systems an effective safety engineering process (along with choice of the appropriate safety standards) must be established at
an early stage of the acquisition lifecycle, and reflected in contract documents. This process
culminates in a safety case: i.e. reasoned arguments, based on evidence, for the safety of the
system. Safety cases are important because they not only help to provide the assurance of safety
that is required by technical regulators, but can also – by providing increased understanding of
safety issues early in the project lifecycle – help avert substantial costs at later stages in the
project lifecycle.
There are well-known methods and tools to support the development of safety cases. For example, the ASCAD (Adelard 2009) tool makes use of the “claims, arguments, evidence” (CAE)
approach (Emmet & Cleland 2002), as do the hypertext systems AAA (Schuler & Smith 1992)
and Aquanet (Marshall, Halasz, Rogers & Janssen 1991). Another approach is called GoalStructured Notation (Wilson, McDermid, Pygott & Tombs 1996). GSN represents elements
(i.e. requirements, evidence, argument and context) and dependencies of the safety case by
means of a graphical notation. Of the tools available today the most widely used is the Adelard
Safety Case Environment (ACSE), which supports GSN as well as CAE (Adelard 2009).
A safety case will usually involve a complex suite of documents built on various assurance
artifacts and other forms of evidence. The methods and tools mentioned above are valuable, but
they do not fully address the fact that the safety case must be guaranteed to be consistent and
robust in the face of changes (Kelly & McDermid 1999): such changes may be trivial ones that
123
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
need to be tracked throughout the documentation, or they may be major changes that impact the
whole safety argument.
One approach to the consistency problem is to develop a glossary of technical terms and
to ensure that such terms are used systematically throughout the safety case documentation.
We speak of structured text to refer to documents with such embedded technical terms. The
aggregration of technical terms used in the documentation forms a light-weight model for the
safety case. Clearly there is considerable scope to provide tool support for developing such
model-based safety cases. The HiVe (Hierarchical Verification Environment), currently under
development at DSTO, is a general purpose tool for producing structured system documentation. It allows a user to develop the necessary technical glossary and ensures that references to
technical terms are managed consistently throughout. It has a number of potential applications;
in this paper we claim that the application of the HiVe to the development of safety cases offers
many advantages.
Another advantage to the HiVe’s implementation of structured text is the ability to enforce
workflows through the introduction of form-like constructions. By structuring the safety case
documentation in an appropriate way, it is possible to ensure structural compliance with the
requirements of the standard. The HiVe may also be programmed to perform simple correctness
checks on important details of the safety case or even to calculate the correct results of mandated
analyses. In this paper, we describe a specialization of HiVe that supports the development of
DEF(AUST)5679 compliant safety cases.
In Section 2.1 we give an overview of DEF(AUST)5679, focusing on the requirements for
hazard analysis. Section 2.2 summarises the HiVe Writer. In Section 3 we introduce the concept
of model-based safety case, and discuss issues for tool support. Section 4 presents an overview
of the hazard analysis for a realistic Defence case study. In Section 5 we show how this case
study is captured within the HiVe Writer. Section 6 presents some conclusions and suggestions
for further work.
2
BACKGROUND
2.1
DEF(AUST)5679
The recently published DEF(AUST)5679 Issue 2 (DSTO 2009b) provides detailed requirements
and guidance for the development of safety cases. A safety case involves the following steps:
•
An analysis of the danger that is potentially presented by the system. This involves an
assessment of the system hazards, along with the ways that accidents could occur, as well
as their severity. This is called hazard analysis.
•
A system design that provides safety features (internal mitigations), i.e. a safety architecture.
•
Arguments that system components have been built in such a way that provides assurance
of safety, called design assurance.
•
An overall narrative (or high-level argument) that is convincing to a third-party and pulls
all the above together.
The safety case must be acceptable to an auditor (whose role is to monitor the system engineering process and ensure that the procedural aspects of standards are followed); to an evaluator,
whose role is to provide a thorough independent and objective review of the validity of the technical arguments that critical requirements are met by the system; and to a regulator, whose role
is to set the policy framework within which decisions about system safety must be made (and
who also may have the role of certifying that the system is sufficiently safe to be accepted).
124
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
For the purposes of this paper we shall describe in more detail the hazard analysis stage of
the safety case. The aim of hazard analysis is to describe the system, its operational context and
identify all possible accident scenarios (and their associated danger levels) that may be caused
by a combination of the states of the system, environmental conditions and external events.
An accident is an external event that could directly lead to death or injury. The severity
of an accident is a measure of the degree of its seriousness in terms of the extent of injury or
death resulting from the accident. System hazards are top-level states or events of the system
from which an accident, arising from a further chain of events external to the system, could
conceivably result. Accident scenarios describe a causally related collection of system hazards
and coeffectors that lead to a defined accident.
An external mitigation is an external factor that serves to suppress or reduce the occurrence
of coeffectors within a given accident scenario. The strength of external mitigation must be
assessed as one of low, medium or high. The danger level of an accident scenario is a function
of the resulting accident severity and the assigned strength of external mitigation. There are six
danger levels, labelled from D1 to D6 .
Some of the key requirements in DEF(AUST)5679 that are relevant for hazard analysis
are reproduced in Figure 1. They have a special format: they are in bold face, with a unique
paragraph number (shown here in square brackets), and usually reference one or more technical
terms (shown in blue).
2.2
The HiVe Writer
The HiVe Writer represents a novel approach to the creation and management of complex suites
of technical documentation. It blends both modelling and documentation through a synthesis
of concepts from model-based design, literate programming, and the semantic web. It supports
a range of documentation styles from natural language descriptions through to fully formal
mathematical models. The Writer’s free text mode allows the author maximum expressive
freedom. The Writer’s syntax-directed editing mode ensures compliance with documentation
and notational standards. The two modes may be mixed freely in a single document. More
details on the HiVe may be found in (Cant, Long, McCarthy, Mahony & Williams 2008); in this
section we give a brief overview.
In the Writer, the modelling activity proceeds by interspersing commands through a normative design document (NDD), which serves as a “script” that builds up the model-based design.
These commands serve to enter data into a centrally managed datastore. The datastore records
the fundamental technical terms and other building blocks of our model — called formal elements — as well as properties satisfied by these formal elements. Commands may also be
used to initiate interactions with external analysis tools and to record results in the datastore.
Elements from the datastore may be freely referred to in any document. All such references
are created (and are guaranteed to remain) consistent with the datastore, greatly simplifying the
management of change propagation and consistency across complex suites of documentation.
The Writer also provides a highly sophisticated rendering layer that allows the user to
present information from the datastore in numerous styles. This allows the user to target the
presentation style to the needs of the intended audience and to create different presentations
of the same information for different audiences. Designers are encouraged to write design,
explanatory and technical documentation in parallel, with complete consistency and targeted
presentation styles, thereby helping them to produce documents that convince others of the
correctness of the design.
The capabilities of The Writer can be extended via a powerful plug-in facility. In particular,
125
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
[8.6.2.] The Hazard Analysis Report must provide a list of all Accidents arising in Accident Scenarios, including an estimate of the Accident Severity of each Accident as
determined by Table 8.1.
Accident Severity
Catastrophic
Fatal
Severe
Minor
Definition
Multiple Loss of Life
Loss of Life
Severe Injury
Minor Injury
Accident Severities (Table 8.1 in DEF(AUST)5679).
[8.9.4] The Supplier shall assign each Accident Scenario a Danger Level in accordance
with the following conditions.
•
For each Accident Scenario a default Danger Level shall be assigned based on
the Accident Severity using Table 8.2.
•
If no External Mitigations are present in the Accident Scenario, the Danger
Level shall remain at the default value for that severity.
•
If, for a given Accident Scenario, a strength of External Mitigation can be assigned, then the Danger Level shall be reduced from its default value according
to Table 8.2
[8.9.6] Danger Level assignments of greater than D4 must be explicitly justified in the
Hazard Analysis Report, showing cause why stronger External Mitigation of Damage
Limitation factors could not be introduced into the Operational Context.
Default Level
Accident Severity
Catastrophic
Fatal
Severe
Minor
D6
D5
D4
D3
External Mitigation
Low
Medium
D6
D5
D5
D4
D4
D3
D3
D2
High
D4
D3
D2
D1
Danger Levels (Table 8.2 in DEF(AUST)5679).
[8.10.2] The Supplier shall assign to the System a System Danger Level that is the maximum over all the Danger Levels assigned for Accident Scenarios.
Figure 1: Requirements for hazard analysis
126
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
plug-ins can be developed to support specific business processes and documentation standards.
In Section 5, we describe a safety case tool that we have developed as a HiVe plug-in.
3
MODEL-BASED SAFETY CASES
We have already noted that there are a number of potential benefits to be gained from adopting
a light-weight modelling approach in safety case development. Here we discuss some of the
experiments we have carried out in applying HiVe concepts in the DEF(AUST)5679 context.
3.1
Observations on compliance
In developing a safety case against a defined standard — in our case DEF(AUST)5679 — the
matter of compliance assurance comes to the fore.
There are various levels of compliance.
As a trivial example, DEF(AUST)5679 requires the use of four accident severities; if the
safety case actually makes use of five severities, then it will not be compliant. This kind of
compliance is easy to check and should (ideally) be enforced at the time that the safety case is
developed, so that such mistakes are impossible. We call this shallow (or surface) compliance.
At the other end of the spectrum, for example, would be the case where the reasoning used
to justify the accident severities is unconvincing. This would need to be identified by a skilled
reviewer (or evaluator) and is an example of deep (non-)compliance with the standard. It can’t
be automatically enforced during safety case development. Nevertheless, the safety case should
be built and laid out in such a way as to facilitate the checking of all forms of compliance.
We have identified a number of ways that the HiVe can enforce shallow compliance and
support deep compliance.
3.2
HiVe DEF(AUST)5679 experiments
The development of the standard itself is a complex endeavour, complicated in the case of
DEF(AUST)5679 Issue 2 by the parallel development of guidance papers and a significant
worked case study (DSTO 2009a). Our experiments in support of this process are described
elsewhere (Cant et al. 2008). In short, we developed an extensive glossary of formal elements
(such as accident, hazard analysis, severity etc) to manage consistent use of terminology across
this large body of documentation and also a light-weight model of the various actors and processes treated in the standard. Although modest in scope, these modelling activities gave us
useful tools for managing consistency and completeness across this large document suite. For
example, the tools ensured that each requirement had a clearly defined responsible agent and automatically collected a table of the responsibilities of each agent in an appendix to the standard.
We are confident that this tool support led to a significantly higher quality end product.
Encouraged by the results of this experiment, we began to consider the development of a
HiVe plug-in for supporting the development of actual safety cases. Most obviously, safety
case authors would benefit from access to the DEF(AUST)5679 technical glossary as well as
an ability to define and manage a technical glossary specific to the system under consideration.
The basic HiVe Writer already provides such capabilities, ensuring that all of the technical terms
(as well as the requirements) of DEF(AUST)5679 can be directly referenced in the safety case
under construction, with the HiVe maintaining consistency throughout. More ambitiously, we
were interested in developing light-weight models for the necessary workflows and deliverables
of DEF(AUST)5679.
127
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Prohibited
Areas
Threats
Phased Array
Radar Beams
ESSM
Laser Targetting
Beams
Own Ship
Figure 2: PARTI System and Environment
Building on the basic datastore of DEF(AUST)5679 requirements we introduced specific
commands for making compliance claims against the standard. For example, a command that
describes and adds a new accident scenario to the list required under paragraph 8.6.4 of DEF(AUST)5679 (see Figure 1). Using structured text techniques, this command can ensure that
each accident scenario has all of its required attributes, such as associated accident and danger
level, properly defined. It can even automate any calculations required by DEF(AUST)5679,
such as determining the danger level as modified by external mitigation according to Table 8.2
of DEF(AUST)5679 (see Figure 1).
Properly implemented, such a collection of commands can ensure a very high degree of
shallow compliance with the standard. They also provide useful guidance to the evaluator in
determining deep compliance by directing attention to the critical compliance claims.
Once the compliance claims of the safety case are entered into the HiVe datastore, it becomes possible to make automated consistency and completeness checks. For example, by
identifying an accident that has been declared but does not appear in any accident scenarios.
A more sophisticated check is to ensure all accident scenarios with danger levels above D4 are
properly justified in accordance with paragraph 8.9.6 of DEF(AUST)5679 (see Figure 1).
The facilities described above have been integrated into a prototype HiVe plug-in for DEF(AUST)5679 safety case development. Currently, the plug-in focuses on the hazard analysis
phase, but there are plans to extend it to a complete support tool for DEF(AUST)5679, possibly
even including support for formal specification and verification.
4
THE PARTI SYSTEM
The Phased Array Radar Target Illumination (PARTI) system is a fictitious ship system that
scans, detects, discriminates, selects and illuminates airborne threats. The illumination of targets provides a target fix for the existing Evolved Sea Sparrow Missile (ESSM) system. The
PARTI system incorporates the phased array radar (PAR) and associated control functionality; a
sub-system for detecting, discriminating and selecting airborne threats; an operator; and a laser
designator and associated control functionality, for target illumination. The PARTI system and
its environment are shown in Figure 2.
The PARTI system was used as a case study for DEF(AUST)5679 (DSTO 2009b) and the
detailed results presented in DEF(AUST)10679 (DSTO 2009a) (along with other material giving guidance on how to apply the standard). Here we are just interested in the hazard analysis
for the PARTI system. The results of this analysis are summarized in Tables 1a– 1c. Recalling
128
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Id.
HAZ
HAZ
HAZ
HAZ
HAZ
A
B
C
D
E
System Hazard
The PAR irradiates a prohibited area.
The laser illuminates a non-target object.
The PARTI sends an erroneous communication.
The laser fails to maintain target illumination.
The PARTI operates without command authorisation
(a) System hazards
Id.
A1
A5
A7
A8
A9
A10
A11
A12
Accident
Severity
Missile or other ordnance causes damage to a non-target
Helicopter crash due to RF interference
Laser causes damage to a non-target
Personnel injuries caused by Electromagnetic Radiation
Collision and Grounding of Ship
Laser causes eye damage to personnel
Laser kills a person
Personnel deaths caused by Electromagnetic Radiation
Catastrophic
Catastrophic
Catastrophic
Severe
Catastrophic
Severe
Fatal
Catastrophic
Default
Danger
Level
D6
D6
D6
D4
D6
D4
D5
D6
(b) Accidents
Accident Scenario
AS A 2
AS B 1
AS B 2
Hazard
HAZ A
HAZ B
HAZ B
Accident
A5
A8
A10
Default DL
D6
D6
D4
Mit. Strength
High
Medium
High
Assigned DL.
D4
D5
D2
(c) Typical accident scenarios
Table 1: PARTI hazard analysis results
Section 2.1, Table 1a of system hazards and Table 1b of accidents are self-explanatory.
For reasons of space, Table 1c only includes three representative accident scenarios – those
used in Section 5. Similarly, we do not go into the details of the accident scenarios. For example,
scenario AS A 2 involves (DSTO 2009a, PARTI-HAR):
the PAR irradiat[ing] a prohibited area (hazard HAZ A) while a helicopter is close
to the ship, causing the aircraft to malfunction, leading to helicopter crash due to
RF interference (accident A5) with multiple fatalities (and so default danger level
D6 ).
The table records the calculated danger level accounting for mitigation by external coeffectors.
In the example of AS A 2 the need for proximity and aircraft malfunction are two independent
coeffectors; thus the danger level is lowered to D4 .
The interested reader can find full details of the PARTI case study in DEF(AUST)10679
(DSTO 2009a). One such detail is that among the scenarios not shown are those involving
HAS E and HAS F, in which the PARTI emits arbitrarily lethal radar or laser radiation respectively. Such hazards can clearly lead to catastrophic accidents with little or no potential for
external mitigation. Thus, as defined in Figure 1 (Clause 8.10.2), the system danger level is D6 .
Fortunately, it is fairly easy to design the PARTI (by limiting available power output) so as to
eliminate these hazards.
129
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure 3: The NDD for the PARTI system
5
THE PARTI HAZARD ANALYSIS IN THE HiVe
In this section we demonstrate the HiVe Writer applied to the PARTI hazard analysis, making
use of a prototype plug-in – here called the hazard analysis plug-in – to provide commands
specific to hazard analysis.
5.1
Generic interface
Figure 3 shows part of the HiVe Writer interface (Cant et al. 2008), as captured in a screenshot of a session using the hazard analysis plug-in. The top left hand window is the Project
Navigator: this provides an easy mechanism for moving between the different documents in
different open projects. Underneath the navigator is a formatting palette, which can be used to
present information according to a given user-defined style — this is very useful for presenting
the same information to different audiences. The main editor window shows part of the NDD
for this project. The NDD provides a literate script that builds up the “model” on which the
130
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure 4: The datastore after processing the first accident scenario
safety case is built. The yellow background on a command indicates that it has been processed
by the Writer. Direct interaction with the NDD is through a toolbar (top right of the screen) that
allows the user to control the processing of commands in the script.
5.2
Hazard analysis support interface
The content of the NDD in Figure 3 reflects the domain-specific nature of the hazard analysis
plug-in. In particular, after declaring PARTI to be the name of the project as well as the system,
we have the command “begin hazard analysis report for PARTI” which serves to set the context
for further command invocations in the plug-in.
The next command constructs a module that covers the operational context and system
description (if these are not present — as DEF(AUST)5679 requires — the hazard analysis
plug-in will complain after the NDD is processed, thus enforcing shallow compliance in this
instance). The use of modules ensures that the definitions all lie within their own namespace in
the project’s datastore. This is immediately used to good effect in the introduction of hazards
and accidents, each defined in their own module.
As yet unprocessed, in the next module introduced in Figure 3, are the definitions of the
three accidents (along with their severities) from Table 1b. The snapshot shows just the first of
these accident scenarios (AS A 2): it is introduced with some descriptive text, followed by two
coeffectors. After we have processed down to the end of this block, we find that the datastore
not only records this definition, but also computes automatically the default and final danger
levels (in accordance with Table 8.2 of DEF(AUST)5679). This is shown in Figure 4.
If we further process the next two accident scenarios and then try to end the hazard analysis,
the HiVe will not permit this, because (according to DEF(AUST)5679 (Clause 8.9.6)), explicit
justification is needed for any danger level assignments greater than D4 . Now we make use
of the HiVe’s syntax directed-editing. Using a palette of commands we can enter the skeleton
for the command giving explicit justification; we can then complete this using a second palette
to enter the name of the second scenario. The NDD can now be completely processed (see
Figure 5, which also shows the two palettes).
6
CONCLUSION AND PROPOSED FURTHER WORK
In this paper we have discussed the HiVe tool and how it can be used to address the problem
of constructing convincing and trustworthy safety cases. We demonstrated the use of the HiVe
on the hazard analysis phase of a safety case for a realistic case study. Work is now focused
on extending the tool to cover the safety architecture and design assurance phases of the same
example safety case. The architecture verification for the PARTI system has already been explored using a theorem prover (Mahony & Cant 2008); it will be instructive to capture this work
131
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure 5: The processed NDD with two palettes
within the HiVe tool as well.
Constructing and managing safety cases present a huge challenge. It will be many years
before there is general agreement on how a safety case should be structured; it will also take
some time for tools to be available that are easy to use and achieve the desired properties that a
safety case should have.
Acknowledgments.
The authors wish to thank the Defence Materiel Organisation for sponsorship and funding of
The HiVe Writer prototype.
References
Adelard (2009), ‘The Adelard Safety Case Development (ASCAD) manual’.
URL: http://www.adelard.com/web/hnav/resources/ascad/index.html
Cant, T., Long, B., McCarthy, J., Mahony, B. & Williams, K. (2008), The HiVe writer, in
‘Systems Software Verification’, Elsevier.
132
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
DSTO (2009a), DEF(AUST)10679/Issue 1, Guidance Material For DEF(AUST)5679/Issue 2,
Australian Government, Department of Defence.
DSTO (2009b), DEF(AUST)5679/Issue 2: Safety Engineering for Defence Systems, Australian
Government, Department of Defence.
Emmet, L. & Cleland, G. (2002), Graphical notations, narratives and persuasion: a pliant
systems approach to hypertext tool design, in ‘HYPERTEXT ’02: Proceedings of the
thirteenth ACM conference on Hypertext and hypermedia’, ACM, New York, NY, USA,
pp. 55–64.
Kelly, T. P. & McDermid, J. A. (1999), A Systematic Approach to Safety Case Maintenance, in
‘SAFECOMP’, pp. 13–26.
URL: citeseer.ist.psu.edu/kelly01systematic.html
Mahony, B. & Cant, T. (2008), A Lightweight Approach to Formal Safety Architecture Assurance: The PARTI Case Study, in ‘SCS 2008: Proceedings of the Thirteenth Australian Conference on Safety-Related Programmable Systems’, Conferences in Research
and Practice in IT., pp. 37–48.
Marshall, C., Halasz, F., Rogers, R. & Janssen, W. (1991), Aquanet: a hypertext tool to hold
your knowledge in place, in ‘HYPERTEXT ’91: Proceedings of the third annual ACM
conference on Hypertext’, ACM, New York, NY, USA, pp. 261–275.
Schuler, W. & Smith, J. B. (1992), Author’s Argumentation Assistant (AAA): a hypertext-based
authoring tool for argumentative texts, in ‘Hypertext: concepts, systems and applications’,
Cambridge University Press, New York, NY, USA, pp. 137–151.
Wilson, S. P., McDermid, J. A., Pygott, C. H. & Tombs, D. J. (1996), Assessing complex
computer based systems using the goal structuring notation, in ‘ICECCS ’96: Proceedings
of the 2nd IEEE International Conference on Engineering of Complex Computer Systems
(ICECCS ’96)’, IEEE Computer Society, Washington, DC, USA, p. 498.
BIOGRAPHY
Tony Cant currently leads the High Assurance Systems (HAS) Cell in DSTO’s Command, Control, Communications and Intelligence Division. His work focuses on the development of tools
and techniques for providing assurance that critical systems will meet their requirements. Tony
has also led the development of the newly published Defence Standard DEF(AUST)5679 Issue
2, entitled “Safety Engineering for Defence Systems”.
Tony obtained a BSc(Hons) in 1974 and PhD in 1979 from the University of Adelaide, as
well as a Grad Dip in Computer Science from the Australian National University (ANU) in
1991. He held research positions in mathematical physics at the University of St Andrews, Tel
Aviv University, the University of Queensland and the ANU. He also worked in the Commonwealth Department of Industry, Technology and Commerce in science policy before joining
DSTO in 1990.
133
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This page intentionally left blank
134
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
THE APPLICATION OF HAZARD RISK ASSESSMENT IN
DEFENCE SAFETY STANDARDS
C.B.H. Edwards1 M. Westcott2 N. Fulton3
1
AMW Pty Ltd
PO Box 468, Queanbeyan, NSW 2620
Email: [email protected]
2
CSIRO Mathematical and Information Sciences
GPO Box 664, Canberra, ACT 2601
Email: [email protected]
3
CSIRO Mathematical and Information Sciences
GPO Box 664, Canberra, ACT 2601
Email: [email protected]
Abstract
Hazard Risk Assessment (HRA) is a special case of Probabilistic Risk Assessment (PRA) and provides the theoretical
basis for a number of safety standards. Measurement theory suggests that implicit in this basis are assumptions that
require careful consideration if erroneous conclusions about system safety are to be avoided. These assumptions are
discussed and an extension of the HRA process is proposed. The methodology of this extension is exemplified in recent
work by Jarrett and Lin. Further development of safety standards and the possibility of achieving a harmonisation of the
different approaches to assuring system safety are suggested.
Keywords: Probabilistic Risk Assessment, Hazard Risk Assessment, Safety Standards, Safety Evaluation, Hazard
Analysis
2
Introduction
The use of Probabilistic Risk Assessment (PRA) is widespread in industry and government. Examples include
environmental impact studies, food and drug management, border protection, bio-security and the insurance industry.
In many organisations the use of PRA has become institutionalised, being applied in a prescriptive manner with little
questioning about the assumptions implicit in the method. In the safety domain the risk of hazard realisation leading to
an accident is of concern. This is known as Hazard Risk Assessment (HRA) and is a particular application of PRA.
This paper examines the application of HRA in safety standards, which are used to guide the assessment of the safety
of defence systems.
In recent years there has been a growing body of literature expressing concern that the application of PRA can lead to
false conclusions about the nature of perceived hazards. For example, Hessami (1999) provides an analysis of the
limitations of PRA and (inter alia) notes:
The Risk Matrices, once regarded the state-of-the-art in pseudo quantified assessment are essentially outmoded and
inapt for today's complex systems and standards of best practice. They are a limited tool which cannot be universally
applied in replacement for systematic assessment and it is not possible to compensate for their structural defects and
enhance their credibility through customization of their numerical axes as advocated by the Standard (IEC). These also
encourage an incremental as opposed to the holistic view of risks through arbitrary allocation of tolerability bands. In
short risk matrices are best suited to the ranking of hazards with a view to prioritize the assessment effort. A systems
framework is required to provide a suitable and sufficient environment for qualitative and quantitative assessment of
risks within a holistic approach to safety.
A so called “precautionary principle” has evolved over a number of years and has been proposed as an alternative to the
use of PRA. O’Brien (2000) provides a guide to the application of this principle. When describing the precautionary
principle Wikipedia notes:
This is a moral and political principle which states that if an action or policy might cause severe or irreversible harm
to the public or to the environment, in the absence of a scientific consensus that harm would not ensue, the burden of
proof falls on those who would advocate taking the action, [Raffensperger C. & J. Tickner (1999)]. The principle
implies that there is a responsibility to intervene and protect the public from exposure to harm where scientific
investigation discovers a plausible risk in the course of having screened for other suspected causes. The protections
that mitigate suspected risks can be relaxed only if further scientific findings emerge that more robustly support an
alternative explanation. In some legal systems, as in the law of the European Union, the precautionary principle is also
a general and compulsory principle of law, [Recuerda. (2006)].
135
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Given the widespread use of HRA within the safety community it is important that the limitations of this approach to
system safety be well understood and that some form of a precautionary principle is woven into the further
development of safety standards.
3
Hazard Risk Assessment
3.1 HRA Process
HRA aims to identify the risk of hazards and to guide the application of resources to minimize assessed risk. This
concept has been applied to a wide range of situations, ranging from relatively simple OH&S problems, such as office
safety, to the acquisition of complex weapons systems. HRA attempts to quantify risk through the use of the Hazard
Risk Index (HRI) measure. After the derivation of the HRI for a particular hazard, an assessment of the application of
resources required to mitigate or remove the risk is made. Often this assessment is based on the As Low as Reasonably
Practicable (ALARP) principle. Notably, the ALARP method allows for a statement of Residual Risk, i.e. the risk
remaining after the completion of the safety process. Further discussion about ALARP can (inter alia) be found in Ale
(2005).
3.2 Derivation of the HRI
The derivation of an HRI for a particular hazard, i.e. a hazard derived from the HRA process, is typically based on a
tabulation of ‘Likelihood’ versus ‘Consequence’ as shown in Table 1. The acceptability of the HRI is then determined
by a grouping of derived HRI. An example is shown in Table 2.
Consequence
Likelihood
Catastrophic
Critical
Major
Minor
Frequent
1
3
7
13
Probable
2
5
9
16
Occasional
4
6
11
18
Remote
8
10
14
19
Improbable
12
15
17
20
Table 1. Hazard Risk Index
HRI
Risk Level
Risk Acceptability
1 to 5
Extreme
Intolerable
6 to 9
High
Tolerable with continuous review
10 to 17
Medium
Tolerable with periodic review
18 to 20
Low
Acceptable with periodic review
Table 2. Acceptability of Risk
3.3 HRI Measurement Difficulties
The Likelihood and Consequence scales on Table 1 are ordinal measures. Thus within a particular row or column of
Table 1 entries are ranked and comparison of those rankings is valid. For example, it is reasonable to assert that within
the Critical Consequence column an Occasional likelihood is a worse outcome than a Remote likelihood. Comparisons
of rankings from different rows or different columns are more problematic. To assert that Occasional but Catastrophic
136
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
(HRI=4) is equivalent to Frequent and Critical (HRI=3) is difficult to justify, particularly in the absence of a quantified
hazard consequence that is consistent with the hazard context. Thus a grouping of HRI, for example as shown in Table
2, is difficult to justify. Groupings may have some meaning if the context of the Likelihood and Consequence
assessments is known and done on a case-by-case basis, i.e. the system or issue under evaluation together with the
operational environment are well understood. Importantly, because a general a priori statement of HRI groupings has
no theoretical basis, groupings of HRI used to ascribe a level of risk acceptability must be done on a case by case basis
prior to the safety analysis, in a manner that takes into account the system context. Stevens (1946) provides a useful
discussion on the theory of measurement scales, while Ford (1993) discusses the application of measurement theory to
software engineering.
The HRI based approach to safety has intuitive appeal to program managers and continues to be widely used. This
practice follows from the fact that the ALARP concept appears to simplify the problem of resource allocation and that
the concept of residual risk leads to qualitative statements of remaining safety actions, such as additional procedures,
which once articulated provide a well defined end to a safety program. It is of interest to note that the ‘burden of proof’
or ‘required due diligence’ for estimating the residual risk in the absence of hazard mitigation appears to be the same
regardless of how high the inherent risk.
4
Assumptions and Limitations of HRA
4.1 The Importance of Context
One problem with a general application of the HRI, as shown in the example Tables 1 and 2 lies in the fact that it is not
always possible to apply appropriate context scaling to the Likelihood and Consequence groups. The likelihood of
various outcomes will be dependent on the context of the problem being studied, as will the severity of the realisation
of a particular hazard. For example, the distribution of acceptability of HRI for faults in a Full Authority Digital Engine
Control System (FADECS) is likely to be very different from an examination of the risks of an experimental drug
treatment for patients with advanced forms of cancer. In the former case it is likely that there would be little tolerance
of a fault in the FADECS, while in the latter patients might be willing to risk death if there was even a small chance of
a cure. Prasad and McDermid (1999) discuss the importance of the context of a system when attempting to identify
emergent properties such as dependability.
The importance of context in trying to assess the safety of complex systems is well illustrated by Hodge and Walpole
(1999) where they adapted Boulding’s (1956) hierarchy of systems complexity to the Defence planning. The General
Hierarchy of Systems was summarised and illustrated as seen in Figure 1 below.
Figure 1. General Hierarchy of Systems
The application of this concept to the appropriate use of safety standards follows from the fact that standards developed
in an OH&S context are typically aimed at application at the Social level, while standards aimed at providing assurance
that a complex system is safe are applied at the Control level. An attempt to apply an OH&S based standard to a
137
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
complex computer-based system is likely to produce erroneous estimation of the system’s safety. This topic is
discussed later.
There are a number of assumptions, limitations and requirements implicit in a valid HRA process. These include:
a.
The requirement for semantic consistency between the context description and the outcomes of a hazard
realisation i.e. the Consequence description;
b.
the need for an exact quantitative description of the Risk Likelihood used, i.e. the likelihood function and the
boundaries of the associated class groups;
c.
a consistent mathematical description of the Consequence of hazard outcomes; and
d.
the requirement for an ‘a priori’ mathematical model of the acceptability of risk that is consistent with the context
of the analysis.
Apart from the requirement for semantic consistency, Cox (2008a) has addressed these issues in a paper on the
fundamentals of risk matrices. He concludes that PRA often has limited benefit, noting:
The theoretical results in this article demonstrate that, in general, quantitative and semi quantitative risk matrices have
limited ability to correctly reproduce the risk ratings implied by quantitative models, especially if the two components
of risk (e.g., frequency and severity) are negatively correlated. Moreover, effective risk management decisions cannot
in general be based on mapping ordered categorical ratings of frequency and severity into recommended risk
management decisions or priorities, as optimal resource allocation may depend crucially on other quantitative
information, such as the costs of different countermeasures, the risk reductions that they achieve, budget constraints,
and possible interactions among risks or countermeasures (such as when fixing a leak protects against multiple
subsequent adverse events).
Cox (see also Cox (2008b)) makes many other important points, including that probabilities are not an appropriate
measure for assessing the actions of intelligent adversaries. He also suggests three axioms that a risk matrix should
satisfy and shows that many matrices used in practice do not meet them. A further observation is that using a large
number of risk levels (or colours) in a matrix can give a spurious impression of the matrix’s ability to correctly
reproduce model risk ratings. For a 5 x 5 matrix, his axioms imply the matrix should have exactly three levels of risk
(the axioms require at least three levels, but Cox also recommends keeping the number of levels to a minimum).
However, there are some cases where PRA might be usefully employed. As Cox (2008a) notes:
If data are sufficiently plentiful, then statistical and artificial intelligence tools such as classification trees (Chen et al.,
2006), rough sets (Dreiseitl et al., 1999), and vector quantization (Lloyd et al., 2007) can potentially be applied to help
design risk matrices that give efficient or optimal (according to various criteria) discrete approximations to the
quantitative distribution of risks.
Other variations of conventional HRA aimed at better relating the likelihood and consequence pairs have been
proposed. Swallom (2005) provides an example, while Jarrett and Lin (2008) suggest a practical process to consistently
quantify likelihood and consequence, leading to a quantified HRI. The latter approach is strongly data dependent and
appears to provide a thoughtful and defensible use of HRA.
4.2 Semantic Consistency
The description of the system context and the outcomes from the realisation of a hazard can be a fraught process
involving imprecise descriptions and relationships. Overcoming this problem for complex systems will often require
considerable effort with the process being aided by formal analysis of the semantics involved in the description of the
system design and resulting hazards. One method for achieving internal consistency of the description of system
context is the application of set theoretic modelling. Wildman (2002) provides an example of this process.
5
Application of HRA in Safety Standards
5.1 Risk Based Standards
Over the last two decades there has been a divergence in the theoretical basis of system safety standards. In essence
there are two lines of thought. The conventional approach involves a process that attempts to apply HRA to identify
and classify system hazards according to some sort of acceptability criteria. The alternative approach is a qualitative
one, driven by system safety requirements, in which each accident scenario is assigned a danger level, and each
component safety requirement is assigned an assurance level that dictates the level of rigour required to develop and
analyse system components. The alternative approach is discussed later.
Safety standards such as the UK DEF STD 00-56 and the ubiquitous US MIL-STD-882 (2000) are examples of the
conventional approach. These are based on the ALARP approach to safety. This approach accepts the possibility of
Residual Risk and attempts to quantify assurance through the use of the HRI metric. Note: The US MIL-STD-882D
does not specifically call out ALARP but is instead based on a reasonability test similar to the ALARP approach.
Locally, the RAN Standard ABR 6303 (2006) is another example of the application of ALARP. This standard has been
widely promulgated and has been used to assess the safety of a number of complex systems.
138
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
While it may be possible to apply HRA-based safety standards to situations where the system is well understood, there
are systems where it is possible to argue that, a priori, the application of HRA to provide an estimation of system
assurance is inappropriate. For example, it may be appropriate to apply an HRA-based safety standard to a simple
mechanical system where there are sufficient data to draw some inferences about the statistical properties of
(Probability, Consequence) pairs and where the system context is well understood. However, the application of HRA to
a computer intensive system requires further consideration and alternative strategies need consideration. In the case
where the use of an HRA-based standard has been mandated it will be important to ensure that critical software
components of the system are identified and treated appropriately.
6
Proposed Extension to HRA
6.1 Interpretation of Risk
We assume it is possible to quantify the (Likelihood, Consequence) pairs so that the definition
Risk = Likelihood x Consequence
makes sense (Royal Society Study Group, 1992, Sections 1.3.2, 1.3.4).
The meaning of the value of Consequence needs careful thought. In general this will be a random variable; that is,
different realizations of a hazard will produce different consequences. In an HRA, which is prospective though perhaps
informed by data, the values for Consequence could be decided by an individual or as part of a collective evaluation
process. In the former case, the value could incorporate the risk perceptions of the individual. In the latter case, the
value is likely to be closer to an average or expected Consequence. If so, there is a useful interpretation of risk as an
expected cost rate; see h. below and Section 6.3.4.
This conclusion also emphasises the importance of an inclusive and multidisciplinary process when evaluating
Consequence.
6.2 Concept Application
As noted previously, Jarrett (2008) appears to offer a practical method of developing an estimate of system safety
assurance.
The approach attempts to overcome some of the known deficiencies in the construction and use of risk matrices. It is
based on work by Anderson (2006) and Jarrett and Lin (2008); the latter work is summarized in Jarrett (2008). Their
mathematical basis for quantifying the margins of the matrix is very similar, though Jarrett and Lin embed this in a
wider process for deriving a risk matrix. The stated intentions of this process are to “create greater transparency” and
“develop a more quantitative approach”. The specific context for the work in Jarrett and Lin (2008) is assessment of
maritime threats to Australia.
The main steps of this process are as follows.
a.
Define the relevant hazard or threat categories.
b.
For each threat category, assess the consequences and the likelihood of the hazard. The consequences are also
classified into categories.
c.
For each consequence category, the possible severities are listed, described and ranked. It is important that the
severities with the same rank line up across the categories, so that they will be generally agreed to be comparable.
A guide to severities is that, where possible, the steps should correspond to roughly 10-fold changes in “cost”
(which might be dollars but could be fatalities, injuries, land areas affected, etc).
d.
The hazard is then assigned a score (rank) in each category.
e.
The overall consequence score for the hazard is calculated by combining the category scores in a particular way
(see below).
f.
The likelihood of the hazard is assessed by its expected frequency, defined as the expected number of occurrences
per annum. The score assigned to the likelihood also has steps that correspond to 10-fold changes in the
frequency. Verbal descriptions of the scores can be given but are really only indicative; the number is the crucial
element here.
g.
The risk score for the hazard is then given by
Risk score = Consequence score + Likelihood score
h.
This score has a rough interpretation as a log10(expected annual cost)
i.
The possible scores for a hazard can be assembled into a matrix or table. If desired, each cell of the table can be
assigned a measure of risk based on the risk score for the cell. This would look like a traditional risk matrix, but
the scores have a definite quantitative interpretation that is transparent and can be validated against data.
6.2.1
Combination of category scores (Jarrett and Lin)
Suppose there are c categories and the associated category scores are
score is
139
s1 ,
, s c . Then the combined (consequence)
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
S
log 10 10 s1
10 s 2
10 s c
This is similar to taking the maximum score, but it gives added weight to multiple occurrences of the maximum.
For example, consider two cases, with c=7.
I.
There is one score of 5 and six scores of 1.
II. There are seven scores of 5.
In each case, the maximum score is 5, so if S were taken to be the maximum score both these cases would get the same
score. However with the proposed system:
SI=log10 (100,000+60) = 5.002; and
SII=log10 (700,000) = 5.85
Thus case II has a substantially higher risk score, which seems appropriate since it has a high score in every category so
presumably is judged to have more a severe overall consequence. Variants of this basic scheme are clearly possible,
and might be desirable in a particular case.
6.2.2
Interpretation of cell entries
In h. above, the risk score is given the interpretation of a log(expected annual cost). The model behind this is as
follows. Suppose hazardous events occur randomly in time at a rate . Each occurrence of an event has an associated
cost which is a random variable from a distribution with mean µ. Provided the costs are independent of the occurrence
process, the expected total cost per unit time is the product .µ. Taking logs gives the relation in g. above, and explains
h.
6.3 Example
This example is taken largely from Jarrett (2008). It concerns maritime threats.
6.3.1
Threat categories
These were taken as:
• Maritime Terrorism
• Illegal Activity in a Protected Area
• Protected Area Breach
• Piracy
• Unauthorised Maritime Arrivals
• Illegal Exploitation of Natural Resources
• Marine Pollution and Biosecurity
6.3.2
Consequence categories and severity levels
The categories are given in the top row of the table below (from Jarrett (2008)), together with descriptions of the
severities at ranks 4 and 5. (Note: The table is a fragment from the complete table provided in the CSIRO report).
Consequence
category
Death, injury or
illness
Economic
Environmental
Symbolic
5: Catastrophic
Mass fatalities,
remains
collection
compromised
$5 billion+
Irreversible loss of a Destruction of
conservation value of nationally important
a bioregion
symbol
4: Major
Multiple
fatalities,
remains
collection
compromised
$1-5 billion.
Damage to a
Serious damage to a
conservation value nationally important
where recovery > ten symbol
years
One might dispute the equivalence of outcomes within a particular Consequence Category but it is clear that a high
degree of discussion and consultation was involved in production of this table. This discussion and consultation are an
essential part of the proposed risk assessment process.
It is worth noting that at this point the above table of Consequence and associated Severities is similar to the approach
provided by ABR 6303. The extension of the methodology proposed here would thus appear to be a natural extension
140
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
of the ABR 6303 process. However, there are limitations to the application of this approach, particularly when dealing
with computer intensive systems. These limitation are discussed later.
6.3.3
Likelihood
This is summarised in the following table (from Jarrett (2008)).
Likelihood
Indicative Rate
Australia-Wide
Description
Prob 0.01 of event
each year.
Likelihood Score
Rare
Aware of an event like this
occurring elsewhere.
1
Unlikely
The event will occur from time Prob 0.1 of event
to time.
each year.
2
Possible
The event will occur every few One every three
years.
years.
2.5
Likely
The event will occur on an
annual basis.
One every year.
Very Likely
The event will occur two or
three times a year.
Two to three events
a year.
Almost Certain
The event will occur on about a Ten events or more a
monthly basis.
year.
3
3.5
4
The following should be noted:
a. The 10-fold increase in frequency with each unit increase in the Likelihood Score. In this case, the authors have
refined the scoring system to include some changes of 0.5; these are associated with a 3-fold change in frequency. This
is broadly consistent, since
log 10 3
0 . 477
0 .5 .
b. The decision to equate score 1 with a frequency of 1 event per 100 years. This is entirely arbitrary. We shall see
shortly that it might be better to increase all likelihood scores by 1 in this instance.
c. The verbal descriptions in the first column are evocative but have no direct influence on the results. Effectively, they
are defined by the frequencies. This is in contrast to other uses of risk matrices, where terms on the
frequency/likelihood axis appear to be undefined (e.g. Fig.9 in FWHA (2006))
d. The caveats in Cox (2008b) about use of probabilities when the hazard results from the actions of intelligent
adversaries should be kept in mind.
6.3.4
Risk score
This is defined by the sum of the consequence and likelihood scores. The interpretation mentioned, that of the log of
the expected annual cost, can be seen as follows. A likelihood score of 3 corresponds to an expected frequency of one
event per year. If the entire category scores are 4, say, then the consequence score is about 4.85 (log10(7x104)), leading
to a risk score of 7.85. Looking at the table above, severity level 4 is associated with a $ cost of order $1 billion. So the
expected annual cost would also be of order $1 billion and its log would be 9. So the risk score represents roughly 1/10
of the annual expected cost. This is why increasing all the likelihood scores by 1 might be sensible in this case; it would
give a closer match between risk score and log expected annual cost.
The Risk matrix produced from this example is shown below.
141
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Likelihood
Overall
Consequence Score
1
2
2.5
3
3.5
4
Rare
Unlikely
Possible
Likely
Very Likely
Almost
Certain
Negligible
Low
Low
Low
Moderate
Moderate
Low
Low
Moderate
Moderate
Moderate
Moderate
Low
Moderate
Moderate
Moderate
Moderate
High
Moderate
Moderate
Moderate to
High
High
High
High to
Extreme
Moderate
High
High
High to
Extreme
Extreme
Extreme
1 to 1.85
Insignificant
2 to 2.85
Minor
3 to 3.85
Moderate
4 to 4.85
Major
5 to 5.85
Catastrophic
Here the choices for the cell entries will again be the outcome of an extensive discussion and consultation process. If
actions are associated with each risk level, these must also be carefully thought through and calibrated to be consistent,
and appropriate for the perceived level.
We note that this matrix might not accord with the recommendation in Cox (2008a) for a minimal number of levels
(colours), though it does satisfy his three axioms. Because the isorisk contours on a log scale are straight lines, the
banding in this matrix is more natural and defensible than in many other applications.
7
Discussion
7.1 Hazard Severity Based Standards
An alternative to HRA is a qualitative approach based on a perceived severity of identified system hazards, which in
turn dictates the level of rigour required to analyse a hazard. Issue 2 of DEF(AUST)5679 (2008) provides an example
of this approach, where the standard asserts that the necessary system assurance will be obtained because the hazard
has been ‘designed out’.
An important demand made by Issue 2 of DEF(AUST)5679 is a tight coupling between the safety program and other
aspects of system development. Thus safety requirements are determined as part of the general system requirements
development process and the satisfaction of those requirements are incorporated into the system design and
implementation phases. Importantly, and in contrast to HRA, DEF(AUST)5679 increases the ‘burden of proof’ as the
inherent danger of a hazard increases, the notation used in the standard being Hazard Danger Levels.
Application of Issue 2 of DEF(AUST)5679 to existing systems can present problems if the provenance of the system
safety argument is uncertain or non-existent. In these circumstances the application of HRA in the manner suggested by
Jarrett and Lin (2008) below appears to offer a practical method of developing an estimate of system safety assurance.
Noting that the treatment of Non Development Items (NDIs) in DEF(AUST)5679 allows for the use of informal
methods, it appears that a theoretically defensible approach to HRA could be incorporated into the standard when
assessing NDIs.
The SVRC Report (1999) provides further useful comparative information on the two different approaches, albeit on
earlier versions of the standards.
7.2 Application of HRA in Safety Standards
It is clear that the current use of HRA-based safety standards when assessing the safety of complex defence systems is
fraught with difficulties. Not only is the assessment of likelihoods largely qualitative and not based on supporting data,
but the associated consequences are unlikely to represent a global assessment of possible accidents. Both ABR 6303
and MIL-STD-882 tend to produce assurance assessments that could be readily challenged in the courts. They are both
essentially ‘low assurance’ standards.
The context of application of these two standards is important. MIL-STD-882 is a mature standard having evolved
through its application to military systems in the USA. The results of such application are normally evaluated by a well
142
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
resourced government organisation such as the USN Weapons Systems Explosive and Safety Review Board
(WSESRB), which can provide skills that allow the results of a MIL-STD-882 process to be examined carefully.
Notably, the WSESRB has the executive authority to enforce the results of its findings. Thus, while the theoretical
basis of the standard remains inadequate, the skill base of US organisations, such as the WSESRB, are able, to some
extent, to compensate for the limitations of the standard.
By way of comparison, safety organisations within the Australian Defence organisation do not possess the same degree
of executive independence as that enjoyed by their American counterparts. The final decision on system deployment is
not subjected to mandatory approval by the safety organisation, but rather is made at the ‘Social Level’ (of Figure 1) by
non-safety personnel who take into account the recommendations of a safety assessment. For example, a system
assessed as HRI 9 could be accepted into service with the residual risk being mitigated by procedure rather than by
changes to the system recommended by a safety analyst.
The result of the Australian Defence process is effectively a filtering process through different levels of the defence
bureaucracy, which can result in diluted assessment of the safety argument.
7.3 A Safety Paradigm Shift
During the latter phase of the long evolutionary development of MIL-STD-882 there has been a rapid development of
programmable technology. Noting the acknowledged limitations of HRA in dealing with this technology, the logical
conclusion is that a new paradigm for addressing computer intensive systems is required. A focus on safety
requirements, and subsequently identified hazard severities, exemplified by Issue 2 of DEF(AUST)5679, appears to
provide the basis for such a paradigm shift. Not only does this standard incorporate a precautionary principle into the
assessment of system safety, it also provides for a more rigorous and defensible safety argument.
The use of DEF(AUST)5679 as the default safety standard would not initially impose a markedly different process
from the use of MIL-STD-882. Both standards require a hazard analysis to be conducted in the first instance, with the
results of that analysis determining the nature of any subsequent safety effort.
7.4 Characteristics of Computer Intensive Systems
Computer intensive systems are now widespread in both defence and civilian applications. As paragraph 1.4.2 Issue 2
of DEF(AUST)5679 notes:
The implementation of system functions by SOFTWARE (or DIGITAL HARDWARE) represents some unique risks to
safety. Firstly, the flexibility of programming languages and the power of computing elements such as current
microprocessors means that a high level of complexity is easily introduced, thus making it harder to predict the
behaviour of equipment under SOFTWARE control. Secondly, SOFTWARE appears superficially easy and cheap to
modify. Thirdly, the interaction of other elements of the system with the SOFTWARE is often poorly or incompletely
understood.
The idea of ‘safety critical software’ is one fraught with conceptual difficulties. Software per se is simply a set of
logical constructs which have (hopefully) been built according to a design requirement. As such, software is neither
‘safe’ nor ‘unsafe’, but rather may contain constructs that when executed in a particular environment (both platform
and external environment) may produce unexpected results. Thus the context in which the software executes is just as
important as the code itself when it comes to assessing system assurance.
DEF(AUST)5679 has a particular focus on ensuring conformance of software with the design requirements, but as
noted previously, can produce difficult management issues when applied to NDI or Military Off The Shelf (MOTS)
products. Many of these products are either in military service or have a history of commercial application, and in these
circumstances it is likely that system reliability data would be available. For example, an Inertial Measurement Unit
(IMU) is a complex device that is commercially available and has application in both military and civilian systems.
Thus a safety case for a system containing an IMU might be able to take advantage of reliability data in the way
described above, where the IMU is treated as a black box within a wider system context. While such an approach
would seem to be consistent with the treatment of NDI products in DEF(AUST)5679, it would not reduce the
requirement for rigour in the analysis of the surrounding system and associated IMU system boundary. Rather the use
of reliability data would augment the safety argument.
It is clear that it is quite inappropriate to use the RAN Standard ABR6303 as a guide to assessing the assurance of
complex computer-based systems. Not only is the standard aimed at assessing the risk of OH&S hazards, it is not data
dependent and is qualitative in assessing likelihood risks. However, it is suggested that with the incorporation of the
methodology discussed above the applicable scope of standard could be widened. In particular it would allow
meaningful application to a larger class of physical systems.
7.5 Cultural Issues
Anecdotal evidence suggests that many program managers and system engineers regard a safety program as a necessary
evil, providing program uncertainty with little visible benefit. Such attitudes are inconsistent with system development
experience, but more support from senior management is required if an attitudinal change is to be achieved. Such
support should come from the reality that a well integrated safety program not only improves the system engineering
process, but the final quality of the product.
143
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Additionally, it behoves program managers to provide for the most complete and defensible safety program available
with current technology, because in the event of a serious accident, it is inevitable that today’s safety efforts will be
judged in the light of tomorrow’s safety standards.
Because software based systems are logically complex it follows that it is not possible to assure system safety through
testing alone. Conversely, testing combined with appropriate analysis offers the possibility of reducing the scope of a
safety program. This follows from the fact that such a combination can limit the requirement for an otherwise almost
infinite test regime, through an initial investment in the analysis of the safety critical properties of the system.
In dealing with the issue of the scope of a testing regime it should be borne in mind that testing and analysis go hand in
hand in supporting the safety argument. Different safety cultures interpret this truism differently, a fact which is
reflected in the oft repeated anecdotal quotation:
“In the USA they test, test and test and then analyse the results of the testing, while in Europe they analayse, analyse
and analyse and then test the results of the analysis”.
While it might seem trite to labour this point, it is apparent that this is a cultural difference that is reflected in the
divergence in the theoretical basis for safety standards.
7.6 Harmonisation of Safety Standards
Noting the limitations of safety assurance derived from HRA and the existence of safety standards based on both HRA
and an assessment of hazard severity, there would seem to be a need to harmonise the two different approaches when
assessing complex computer intensive systems. Such harmonisation should identify the validity of a particular
approach to providing assurance of system safety. More particularly it is imperative that cases of inappropriate
application of HRA are identified.
The main harmonisation issue flows from the fact that DEF(AUST)5679 does not mandate the determination of a
residual risk which, in the case of a HRA, is often made on the basis of unsupported qualitative assessments.
Essentially, the real difference between the HRA and assurance based techniques lies in the mandated determination of
safety risk.
MIL-STD-882 does not provide adequate guidance on the design and implementation of computer intensive systems.
As a result the standard is necessarily weak in requirements for assessing the assurance of the software product. The
standard tries to address the issue through a concept of ‘software control categories’. This approach does little to
improve the situation as system complexity often denies the accurate enumeration of these categories at an appropriate
level of abstraction. So, while at a macro level, i.e., at a high level of abstraction, such categorisation is possible,
identification of the actual code module responsible for the control function may not be easy.
Interestingly, Swallom (2005) notes that:
….. the F/A-22 matrix adds a “designed out” column for hazards where risk has been reduced to zero.
This acknowledgement suggests that, in the continuing attempts to extend the application of HRA, there has been a
development of a tacit recognition that the hazard severity approach of mitigating hazards through careful design has
some merit.
In comparison to MIL-STD-882, DEF(AUST)5679 provides strong guidance on the design and implementation of
computer intensive systems. While this concept works well for a true development process, the standards approach
when dealing with the integration and acceptance of NDI has the potential to present project management with difficult
financial decisions.
A safety case developed under DEF(AUST)5679 will almost certainly provide enough context information to allow an
informed groupings of risk and consequence to be made. Thus if demanded by a regulatory authority, it seems intuitive
that the approach outlined by Jarrett and Lin (2008) could provide a translation from the DEF(AUST)5679 approach to
a risk based approach. The point here is that while the process of moving from a severity based approach to a risk based
approach appears possible, the reverse is likely to be much more difficult.
7.7 Further Development of DEF(AUST)5679
As noted earlier Issue 2 of DEF(AUST)5679 has the propensity to provide program managers with difficult problems if
it is used to provide assurance for NDI based systems. Given the widespread use of software based NDI within defence
it is clear that further development in this area would increase the appeal of the standard to program mangers.
7.8 The Role of the Technical Regulatory Authority in Defence
As noted earlier there are a number of Technical Regulatory Authorities (TRAs) embedded within the fabric of the
Australian Department of Defence. The roles of these authorities vary in description, emphasis and basic function, but
all claim ‘safety’ as part of their raison d’être for existence. So for example, the Defence Safety Management Agency
will claim seniority in matters of Occupation Health and Safety (OH&S), whereas the Director General Technical
Airworthiness (DGTA) claims ownership of air and ground systems safety within the Royal Australian Air Force
(RAAF). Within the RAN there are a number of separate but interacting organisations involved in the assessment of
system safety. The TRAs are supported by administrative proclamations issued by various levels within the Defence
hierarchy.
144
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
The use of a specific safety standard is generally determined by the interested TRA. For example, DGTA almost
invariably requires software be developed in accordance with the development standard RTA/DO-178B and argues that
the development process ensures that the product is safe and suitable for service. An interesting defence of this process
has been provided by Reinhardt (2008).
The use of a particular standard to assure system safety must be endorsed by the TRA responsible for certifying the
safety of the system, where the system function can range from the development of safety critical avionics software,
through the development and deployment of explosive ordnance, to the methodology of reporting and investigating
OH&S issues. Importantly, any change to the application of new safety standards within Defence requires the approval
of the various TRAs. Thus any move away from HRA based safety standards within DoD would require TRA support.
In the case that a TRA demands an HRA based safety assessment, the provision of a method of mapping from the
hazard severity based approach of DEF(AUST)5679 to a HRI description of the outcome of the safety process would
assist in the acceptance of outcomes of the safety analysis.
7.9 The Need for Further Research
Given the pervasive use of HRA within the defence community there is an urgent need for research to further develop
the theoretical basis for the application of HRI when assessing system safety. In this regard Cox (2008a) notes:
In summary, the results and examples in this article suggest a need for caution in using risk matrices. Risk matrices do
not necessarily support good (e.g., better-than-random) risk management decision and effective allocations of limited
management attention and resources. Yet, the use of risk matrices is too widespread (and convenient) to make
cessation of use an attractive option. Therefore, research is urgently needed to better characterize conditions under
which they are most likely to be helpful or harmful in risk management decision making (e.g., when frequencies and
severities are positively or negatively correlated, respectively) and that develops methods for designing them to
maximize potential decision benefits and limit potential harm from using them. A potentially promising research
direction may be to focus on placing the grid lines in a risk matrix to minimize the maximum loss from misclassified
risks.
In particular, there is a need to better understand the relationship between, and possible integration of, the competing
safety methodologies, i.e. risk based, and those based on the concept of accident severity. Thus, in order to provide
improved interoperability between safety standards it is suggested that research into the relationship and applicability
between severity and risk based assessments of system safety be supported. Such research is not profitably done in
isolation, but rather needs to be done in the context of assessing the assurance of real systems. This requires support
from more than the primary research organisation.
8
Conclusions
Hazard Risk Assessment provides an inadequate theoretical platform for assessing the safety of complex systems.
Safety standards based on this approach can only be regarded as low assurance standards, not in tune with modern
safety thinking.
The extension to HRA proposed in this paper has the potential to extend the scope of the process to include many
physical systems. However, this requires a concomitant increased emphasis on the collection and analysis of
quantitative reliability data. This in turn demands the application of statistically sound data collection and analysis
methodologies, an approach not commonly found in today’s safety community.
Assessments of complex computer intensive systems continue to pose a particular problem for the safety analyst. Strict
conformance to design requirements and careful design of test regimes can assist the task, but system complexity can
make this approach expensive and time consuming, particularly if the safety requirements have not been identified or
adequately analysed.
9
Acknowledgements
The authors thank the referees for their constructive comments.
10 References
Ale, B. J. M. (2005): Tolerable or Acceptable: A Comparison of Risk Regulation in the United Kingdom and in the
Netherlands. Risk Analysis 25(2), 231-241, 2005.
Anderson, K. (2006): A synthesis of risk matrices. Australian Safety Critical Systems Association Newsletter, 8-11,
December 2006.
ABR 6303 (2006): Australian Book of Reference 6303, NAVSAFE Manual, Navy Safety Management, Issue 4
Boulding, K.E. (1956): General Systems Theory – The Skeleton of Science, Management Science, 2(3), April 1956.
Chen, J. J., Tsai, C. A., Moon, H., Ahn, H., Young, J. J., & Chen, C.H. (2006). Decision threshold adjustment in class
prediction. SAR QSAR Environmental Research, 17(3), 337–352.
Cox L.A. (2008a): What’s Wrong with Risk Matrices?, Risk Analysis, Risk Analysis 28, 497-512, 2008
Cox L.A. (2008b): Some Limitations of “Risk = Threat x Vulnerability x Consequence” for Risk Analysis of Terrorist
Attacks. Risk Analysis, 28(6) 1749-1761, 2008
145
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
DEF(AUST)5679 (2008): Commonwealth of Australia Australian Defence Standard, Safety Engineering for Defence
Systems, Issue 2
Dreiseitl, S., Ohno-Machado, L., & Vinterbo, S. (1999). Evaluating variable selection methods for diagnosis of
myocardial infarction. Proc AMIA Symposium, 246–250.
FWHA (2006): Risk Assessment and Allocation for Highway Construction Management, at
http://international.fhwa.dot.gov/riskassess
Ford G. (1993): Lecture Notes on Engineering Measurement for Software Engineers, CMU/SEI-93-EM-9, Carnegie
Mellon University
Hessami A.G. (1999): Risk Management: A Systems Paradigm, Systems Engineering, 2(3), 156-167.
Hodge, R. and Walpole, J. (1999): A Systems Approach to Defence Planning – A work in Progress, Systems
Engineering,
Test
&
Evaluation
Conference,
Adelaide.
20-22 October 1999
Jarrett, R. (2008. Developing a quantitative and verifiable approach to risk assessment, CSIRO Presentation on Risk,
August 2008
Jarrett, R. & Lin, X. (2008): Personal Communication.
Lloyd, G. R., Brereton, R. G., Faria, R., & Duncan, J. C. (2007): Learning vector quantization for multiclass
classification: Application to characterization of plastics. Journal of Chemical Information and Modeling, 47(4),
1553–1563.
MIL-STD-882D, (2000): Department of Defense, Standard Practice for System Safety
O'Brien, M. H. (2000): Beyond Democratization Of Risk Assessment: An Alternative To Risk Assessment
Prasad, D. & McDermid, J. (1999): Dependability Evaluation using a Multi-Criteria Decision Analysis Procedure,
dcca, p. 339, Dependable Computing for Critical Applications (DCCA '99).
Raffensperger, C. & Tickner, J (eds.) (1999): Protecting Public Health and the Environment: Implementing the
Precautionary Principle. Island Press, Washington, DC
Recuerda, M. A. (2006): Risk and Reason in the European Union Law, 5 European Food and Feed Law Review
Reinhardt, D. (2008): Considerations in the Preference for and Application of RTCA/DO-178B in the Australian
Military Avionics Context,13th Australian Workshop on Safety Related Programmable Systems (SCS’08), Canberra,
Conferences in Research and Practice in Information Technology, 100.
Royal Society Study Group (1992: Risk: Analysis, Perception and Management. Royal Society, London.
Stevens, S.S. (1946): On the Theory of Scales of Measurement, Science, 103(2684), June 7, 1946.
SVRC Services (1999): International Standards Survey and Comparison to Def(Aust) 5679, Document ID: CA38809101, Issue: 1.1
Swallom, D. W. (2005): Safety Engineer, U.S. Army Aviation and Missile Command: A Common Mishap Risk
Assessment Matrix for United States Department of Defense Aircraft Systems, 23rd International System Safety
Conference, San Diego, Ca., 22-26 August 2005
UK DEF STD 00-56: Issue 4 1 June 2007, Safety Management Requirements for Defence Systems.
Wildman, L. (2002): Requirements Reformulation using Formal Specifications: A Case Study, Software Verification
Research Centre, University of Queensland.
Wikipedia - the free encyclopedia, Precautionary Principle
146
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
INTEGRATING SAFETY AND SECURITY INTO THE SYSTEM
LIFECYCLE
Bruce Hunter
INTRODUCTION
System Safety and Information Security activities, while recognised as being critical aspects of a
system, are often only assigned targets to achieve at the concept or requirements phases of
development. They then are left to independently achieve outcomes that align with each other
along with other aspects of the system throughout its life. This somewhat cynical view of the
systems engineering model is reinforced by standards [IEC61508 Ed1, EN50126/28/29/59] that
don’t require either an integrated approach or verification of compatibility between resulting
safety and security controls.
While some attempts have been made to integrate the practices of safety and security engineering
[Ibrahim 2004)], key Information Security standards [IEC27001][ISO27005][SP 800-30] make
no mention of the safety aspects of security controls. Only later standards [SP 800-82][ISA-99]
[IEC62443] start to mention how security aspects support safety. Conversely the Functional
Safety series (IEC61508) edition 1 makes no specific mention of security and its impact on
achieving functional safety for the system. While later versions of sector safety standards (e.g.
EN50126, 128, 129 and 159) include security aspects but not how these interact and are
supported by security controls through the lifecycle.
As identified later in this paper, treating safety and security activities independently in the system
lifecycle can lead to unexpected and unwanted outcomes (see locked fire-door). Finding real-life
examples of these issues is not easy and may be due to the fact that incidents are considered
sensitive or the relationship has not been clearly understood or recognised. In recent surveys
more that 70% of organisations do not report security incidents to external parties [Richards
2009]. We have the legal system [Supreme Court of Queensland - Court of Decisions R v Boden]
to thank for details of an interrelated safety and security incident that would have gone unnoticed
and undocumented except for a sewerage system failure and subsequent spill…
Between 9 February 2000 and 23 April 2000 a former employee of a supplier
deploying a radio-networked SCADA system for Maroochy Shire Council accessed
computers controlling the sewerage system, altered electronic data in respect of
particular sewerage pumping stations and caused malfunctions in their operations.
The resultant sewerage spill was significant. It polluted over 500 metres of open drain
in a residential area and flowed into a tidal canal. Cleaning up the spill and its effects
took days and required the deployment of considerable resources.
The court imposed a two year sentence covering: 1 count of using a restricted
computer without the consent of its controller intending to cause detriment or damage
and causing detriment greater than $5,000; 1 count of wilfully and unlawfully causing
serious environmental harm; 26 hacking counts; and 1 count of stealing a two-way
radio and 1 count of stealing a PDS compact 500 computer. The concurrent sentence
imposed survived two appeals.
147
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
This case is now a benchmark for Cyber Security albeit that sometimes the facts are exaggerated.
The key the issues associated with ensuring systems are safe and secure in their operation are
shown in Table 1.
Table 1.
Maroochy Cyber Attack
Security Aspect
Compensating ISO27001
Control Objective
The safety of the system would not have considered the security implications at the
time due to expectations of industry norms and a culture of “Security by
Obscurity”;
A.10.6 Network security
management
The investigation found it difficult to differentiate between teething problems of
the system being deployed (still had not been resolved from completion of
installation in January) and the malicious hacking outcomes (this was also a source
of the later appeals);
A.10.10 Monitoring
The employee had vital equipment and knowledge in his possession after
resignation from the supplier including critical configuration software that allowed
the system data and operation to be changed remotely
A.8.3 Termination or change
of employment
The system did not discriminate between a masquerading rogue and real nodes in
the network
A.11.4 Network and A.11.5
Operating system access
control
26 proven hacking attempts were made over a three month period, anecdotally
there were more undiscovered events over a longer period
A.13 Information security
incident management
Open communications network was used for what is a Critical Infrastructure
operation, but again this was industry norm for the time. Communication
Technology was transitioning from point to point links to digital networks
A.10.6 Network security
management
The data controlling the system could be modified by an intruder based on past
knowledge
A.12.5 Security in
development and support
processes
By hacking attempts, it was possible to disable alarms hiding further changes and
unauthorised operation of the system
A.11.6 Application and
information access control
Even the hacker himself was not immune from security issues; in appeal evidence the stolen
laptop had problems in one of the hacking attempts as the “Chernobyl” virus had infected it.
While in hindsight it may be easy to see the risks associated with lack of security controls that
impacted the safety of the system (all of these issues could have been mitigated by the imposition
of basic security objectives from ISO27001), the development and commissioning of industrial
control systems at the time and their supporting standards would not have explicitly required this
to be considered.
It is easy to understand why there are good reasons to apply effective and timely security controls
to systems to support both operational and functional safety integrity but:
x Can they be addressed in isolation and still achieve their objectives?
x Aren’t they the same anyway and achieve a compatible outcome?
148
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
VALUES, PRIORITIES AND COMPATIBILITY
Before you attempt to integrate two value-based systems, it is important that you are sure their
value systems align. When it comes to safety and security the values and priorities that drive the
methodologies are not the same.
Assets versus People
The Common Criteria standard IEC 15408 addresses the assurance levels applied to security
management and the criteria for evaluating and claiming assurance levels. This can be used as a
level of trust that the security functions will be effective in the products protecting the
confidentiality, integrity and availability of their associated assets. While this may provide some
form of equivalent to the Safety Integrity Levels (SIL) associated with functional safety, there are
basic differences in the purpose and methodology that prevent this.
People
value
Owners
value
wish to minimise
at risk of
impose
Countermeasures
may be
aware of
may
harm
Hazards
that may impact
that may
possess
that require
affecting
Vulnerabilities
that may increase
Safety Functions
Threat agents
Could this be missing
when systems have
safety implications?
leading to
to
that exploit
Risk
that may
include
give
rise to
Threats
that
increase
to
Assets
to
wish to abuse and may damage
May also wish to harm
Adapted from IEC15408.1
Figure 1. IEC15408 Security Concepts and Relationship
Some explanation of the differences in approach can be seen with the Security Concepts and
Relationship Model [IEC15408.1] reproduced in Figure 1. The prime value here is the assets that
security protects from threat agents; whereas safety is about protecting against the risk of
physical injury or damage to the health of people [IEC61508.0] added into the diagram with
dotted lines). This incompatibility of values leads to the likelihood of conflicting risks and
controls being applied that may compromise system safety and security. This needs to be
considered in addition to the interdependencies between safety and security controls and their
impact as outlined in Figure 2. Controls may detract or contribute to the effectiveness of the
other.
An example of the possible incompatible application of security controls at the expense of safety
outcome (email of sound files to police blocked) can be found in the proceedings and
149
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
recommendations of the Coronial Inquest into the death of David Iredale and issues with the
NSW 000 Emergency service [Hall 2009][NSW Deputy State Coroner 2009].
Safety Framework
Security Framework
Hazards
Threats
Control Contributors
Faults
Safety
Controls
Reliability
Availability
Maintainability
Safety
Systems and
People
Security Controls protect malicious actions from
triggering hazardous action on or compromising
Safety-Related functions. e.g. Denial of Service
attack locking up safety related system.
Safety Controls protect users and maintainers
of Information Assets from hazards.
Control Detractors
“Malware” protection and fail-secure actions of
Security Controls may degrade safety
functions due to absorbing free system time.
Fail—safe actions of Safety Controls may add
back-door vulnerabilities to Information Assets
Vulnerabilities
Security
Controls
Confidentiality
Integrity
Availability
Traceability
Information
Assets
Figure 2. Safety and Security Control Contributors and Detractors
Safety Integrity versus Security Priorities
Safety hazard and risk analysis in association with any necessary risk reduction achieve a residual
risk rating, which is to be as low as reasonably practical (ALARP)[IEC61508.5]. Reliance on the
likelihood of a dangerous failure associated with this risk will lead to a required SIL. This is a
quantitative level, which is derived from the failure rate associated random and systematic
failures associated with the elements of the system that support the safety function.
Security Risk Evaluation, however, leads to ranking of risk associated with the likelihood of a
threat exploiting vulnerability and compromising and asset. Control Objectives are then applied
to mitigate in priority of the risk ranking identified. There is no guarantee that all risks will or can
be treated and risk treatment is invoked to reduce (by mitigating controls), retain (expecting the
risk may be realised), remove or transfer the risk. This security risk ranking rather than rating
approach is clearly not compatible with either the ALARP principle or other Safety risk
methodology.
RISK ASSESSMENT COMPATIBILITY
Both safety and security engineering make extensive use of risk management to assess and
mitigates risks that threaten the system integrity and compromise the safety of people and
security of assets. There are however important differences in the way risk management is
applied and the decisions made as a result of the risk estimated.
150
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Risk Impact
The consequence of hazardous events associates with safety is related to injury people and their
health ranging from individual with minor injury to many people killed. Security risk impact
usually relates to the value of the asset compromised in dollar terms from disruption to operation,
disclosure of information, loss of reputation and business and direct financial loss.
Some standards [ANSI/ISA-99] quantify the security risk in terms that include safety outcomes
and it is quite feasible that risks impacts could be aligned for “like” consequences. Other
standards and Guidance [NIST SP800-30][ISO27005][ITSEAG 2006] again do not take into
account the impact on safety or injury, just business impact.
Risk Likelihood
The comparison of likelihood methodology between safety and security is where these system
attributes diverge markedly. Probability of Failure for functional safety is broadly accepted for
random as well as systematic failures; although malicious action should be considered as part of
Preliminary Hazard Analysis, the probability of motive-based hazards is yet unquantified but
staring to be modelled [Moore, Cappelli, Trzeciak 2008].
Figure 3 illustrates the differences and alignment when between safety and security failures in a
generic cause consequence model.
Loss of Control
Almost Certain
Intentional
Threat
Constantly
Evolving
Enabler
Possible
Quantification
Vulnerability
Security
Design Fault
Lack of
Design
Rigour
Safety
Design Fault
Accidental
Quantification
by Standards
Wear-out
Quantification
by MTBF
Component
Life
Ineffective
Preventive
Control
Incident
Ineffective
Preventive
Control
Noncritical
Security
Outcomes
Interactions
Hazardous
Event
Systematic
Failure
Random
Failure
Ineffective
Reactive
Control
Critical
Security
Outcomes
Critical
Safety
Outcomes
Ineffective
Reactive
Control
Noncritical
Safety
Outcomes
Figure 3. Generic Cause-Consequence Mode of Safety and Security Failures
Assigning probabilities to security exploitations is difficult to say the least. Likelihood ratings in
most standards are very qualitative due to the non-deterministic nature of security threat and the
vulnerabilities of rapidly evolving Information Technology. Claiming a security incident is
improbable with a frequency of 1 in 1000 years is clearly “unrealistic” and open to abuse in
151
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
manipulating the risk rating. Again some security standards don’t help and recommend up to five
levels of likelihood from “Almost Certain” to “Rare” [ISO27005][ITSEAG 2006] with no
quantification.
The exponential rise of security incidents makes it hard to reliably quantify the frequency
contribution to likelihood and has reached such levels that this is now measure of time to survive
base on system type (in some cases currently less than an hour). Figure 4 [US CERT] shows the
evolution of reported attacks tied into infrastructure related incidents and the publication of safety
and security standards. This “flooding” dictates an attack probability of 1.
Little was mentioned on Information Security in safety standards available in 2001. Security
could have been considered as any other hazardous event risk but this would have required
domain knowledge of the possible threats and vulnerabilities of the system to attack. As outlined
previously in the SCADA system for Maroochy Shire Council, safety practitioners would not
have been fully aware of the vulnerabilities of an open communications network.
More recent attacks on Critical Infrastructure such as the Estonian and Georgian “Cyberwars”
[Nazario 2007] and the US Power Grids [Condon 2008] show that the risk of systems attached to
open communication networks is a difficult risk to quantify.
ISA-TR99
MIL-STD-882C
NIST SP800-30
IEC61508
ED1
AS4444
IEC62443-3
160
9
140
8
7
120
6
100
60
40
20
4
3
2
2009
2008
2007
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1
1992
0
5
CERT stops attack
reporting Survival time now
30..100 min for
unprotected
Windows systems
80
Vulnerabilities (10 3 )
BS7799
2006
CERT Reported Atacks (103 )
AS4048
ISO27001
IEC61508
ED2?
0
Year
Attack triggered
Maroochydore
Sewer Spill
Slammer
Worm Ohio
Nuclear Plant
Estonian
Cyber
War
Georgian
Cyber
War
US Electricity
Grid Cyber
Profiling
??
Figure 4. US CERT Trend in Reported Computer Attacks in Context
Understanding probability in terms of random component failure and the probability of
introducing systematic faults with defined levels of development rigour proven foundations. The
assignment of probability to motive-based attacks, however, is not tenable. Security attacks
driven by the attraction of the target to the motives of the attacker and this is hard or even
impossible to measure. Attack targets and mechanisms are continuing to evolve from spamming
to political agendas to cyber-crime. Probability of motive-based attacks is best considered as 1
and other protective layers introduced.
152
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Along with attack targets and mechanisms, new security vulnerabilities are constantly emerging
due to evolving technology which driven by the needs of consumers. The converging of system
and communication technology to meet these needs has created previously unconsidered
vulnerabilities for control systems.
The time taken to fix discovered vulnerabilities is too short to rely on patches alone for
protection. The XP vulnerability exploited by “Conficker” malware, which was discovered and
detected early by Virus Checkers, took several months for an effective patch and cleaning
software. This also used different attack mechanism in the form of the “autorun” in USB thumb
drives and other removable media thus avoiding usual detection and protection controls.
What if Safety is Reliant on Security Reliability?
One possible method to align safety and security risk likelihood is to use the Layer of Protection
Analysis (LOPA) as supported by IEC61511.3 and yet to be published ED 2 of IEC61508.5.
LOPA could be used to assign failure probability to security risks as long as realistic values are
attributed to each Protection Layer (PL) and the rules of Specificity (one security function),
Independence (or separation from other layers [Hunter 2006]), Dependability (quantitative failure
rate) and Auditability (validation of functionality) are applied.
Open Threat
Environment
Protection Layer 1
High Risk Attack
Detected
Security Incident
Response
Security
Remediation Control
Other Response
Controls
Protection Layer 2
PFAPL
Incident
Detection
Time (TDET)
PTEXP TDET TREM Incident
Remedy
Time(TREM)
Protection Layer N
Time for threat to exploit
next layer vulnerability (TEXP)
Protection Layer
Compromised
Figure 5. Probability Model of Security Defence in Depth
Knowing threats and the vulnerabilities they exploit are subject to change most organisations
apply a defence-in-depth strategy, where no one single control is relied on for protection against
attack. This, however, is dependent on effective threat and vulnerability monitoring with fast and
reliable incident response. This must prevent an attack from breaching the next protective layer
before the threat agent discovers and/or exploits its vulnerabilities as illustrated in the Figure 5.
The Probability of Failure on Attack (PFA) for each PL can be derived from probability of an
attack exploiting the next protective layer before a mitigating response is implemented. The
product of each layer’s PFA then provides the total PFAAVG. Table 2 is an example of the
application of safety LOPA to security protection [IEC61511.3][IEC61508.5].
153
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Table 2.
LOPA Example with Security Defence in Depth Layers
Initial Risk
Event Impact
Description
Severity Level
Network attack performs Major
unauthorised operation Environmental
Damage
Initiating
Cause
Hacking
Attack
Initiating
Likelihood
1
PL1
PL2
Message
Encryption PFA
Firewall
Controls
PFA
0.1
0.1
(can’t predict
(XXX Standard)
likelihood of attack
PL3
PL4
Network Controls Application Controls
PFA
PFA
0.1
1
(two-factor
authentication)
(can’t application
determine
vulnerabilities)
Residual likelihood
Intermediate
likelihood
10-3
Security
Response PFA
0.1
Mitigated
likelihood
10-4
(assuming
response preexploitation)
When a Safety Function is reliant on security protection from likely threat of being compromised,
the PFA could form part of the Probability of Failure on Demand. This practice would need
considerable more work to be counted towards a resulting SIL and establishment dependable
statistics of Survival Probability. While the Common Criteria Evaluation Assurance Level may
provide confidence and a level of trust in the security controls applied, this does not equate to a
Safety Integrity Level. Care must also be taken, as in Figure 5 that remediation against the attack
does not compromise a safety function.
APPLICATION OF SAFETY AND SECURITY CONTROLS
The application of security controls to support functional safety has been addressed in other
papers [Smith, Russell, Looi 2003][ Brostoff, Sasse 2002].
Inherent conflicts between safety and security methodology become evident in the mitigation
controls against the associated risk. Risk discussion forums and Application Standards show
anecdotal cases where incompatible security controls lead hazardous situations in systems [NIST
SP800-82][ISA-99]. Typically these relate to security scanning and penetration testing and may
have just exposed inherent systematic faults that would eventually lead to these situations.
With an increasing threat environment to safety-related systems and uncertainty to the
vulnerabilities they contain, there is an increasing risk of ill-considered security controls being
applied which directly degrade the functional safety of these systems.
Establishing Control Compatibility
Security
Objectives
Safety Objectives
Must
Don’t care
Must not
Must
Contributing
Compatible
Incompatible
Don’t care
Compatible
Compatible
Compatible
Must not
Incompatible
Compatible
Contributing
Figure 6. Proposed Control Compatibility Model
One helpful, albeit obvious, way to manage where conflicts or incompatibilities arise is to divide
functionality into value objectives: “must”; “must not”; and “don’t care” for each functional
aspect as depicted in the compatibility chart proposed in Figure 6.
154
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
For compatibility to be achieved no “must” control in one is allowed to coexist with a “must not”
in the other aspect; other matches are compatible. This can be seen in the “Locked Fire door”
example following.
Conflicts - The Locked Fire-door Paradox
An example safety and security conflicts in everyday life is the paradox of locked fire doors. This
has the serious consequences on the safety of occupants who may be either trapped in a burning
building or fire escape stairs. Conflicts can be identified and resolved between the safety and
security controls by using Goal Structure Notation (GSN) as in Figure 7 [Lipson, Weinstock
2008)[Kelly, Weaver, 2004].
FireSafety
Keep occupants of an area
safe from fie or other
dangerous situations
Enclosed areas provide danger
to occupants during fire outbreak
EvacuateEarly
Evacuate occupants quickly to
remove them from harmful and
life-threatening conditions
Experience has shown that
injuries and deaths have
been caused by ineffective
exits
AssetSecurity
Protect security assets from
threats it their confidentiality,
Integrity and Availability
AlternativeEgress
Have alternative paths of egress
with unfettered passage to cater
for danger at one exit
SecureEntry
Secure boundary to prevent
access from outside
Assets compromised by
unauthorised entry and exit from
area
SecureExit
Secure boundary to prevent
access compromised from
inside
“Safety - Must”
Experience has shown that
patrons have let
accomplices in by fire exits
“Safety - Must Not”
Ensure doors
are unlocked
from inside to
allow quick
egress
Provide multiple
exits for
alternate
egress in
emergency
Lock doors
from outside to
prevent
unauthorised
entry
Lock doors
from inside to
prevent
unauthorised
exit & breach
Limit entrances
to reduce
security risk
“Security - Must”
“Safety – Don’t care”
“Security – Must Not”
Conflict 1
Conflict 2
Alignment 1
Use video
surveillance to
identify pending
breaches
Alarm exits to
alert when
security
compromised
Alignment 2
Figure 7. Simplified GSN view of Locked Fire-door Conflicts
If the safety and security controls in this example are considered together, then not only are
conflicts identified early but can be modified to improve the effectiveness of both.
AN ALIGNED APPROACH
Rather than combining disparate methodologies for safety and security, the paper proposes
Lifecycle Attribute Alignment to ensure effective and compatible safety and security controls are
established and maintained is at key lifecycle stages of: Concept; Requirements; Qualification;
and Maintenance.
In Figure 8, interaction in these phases is shown in terms of alignment attributes (A); requirement
allocation attributes (R) and verification effectiveness attributes (V). Engineering, System Safety
and Security Management plans should include these attributes as objectives to be achieved and
maintained in the lifecycle.
155
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Operational Concept
Studies
System Safety
Management
A2
Information Security
Management
A1
System Safety
Planning
Requirements
Analysis
Preliminary Hazard
Analysis
System/ Architectural
Design
R3
Establish Safety
Requirements &
Boundaries
Requirements
Allocation
Characterise System
and Set Asset Security
Objectives
Assess Threat and
Vulnerability Risk
Estimate and Evaluate
Security Risk
R1
Determine Risk
Treatment
Allocate Safety
Requirements
Technical
Performance
Management
A3
System Integration
and Test
Review and Define
Security Controls
R2
Safety Requirements
Implementation
V2
Qualification Testing
V1
Safety Requirements
Verification &
Validation
Implement Security
Controls
A4
Monitor Emerging
Security Threats &
Vulnerabilities
Installation & Test
System Safety
Assurance
Maintain & Update
Security Controls
R4
Acceptance &
Transition to Support
System Safety
Maintenance & Update
Through-life Support
A5
A7
R4
A6
Evolving Security Threats, Technology and Obsolescence
Systems
Development
Upgrade and Retrofit
Obsolescence and
Withdrawal
A1 – Ensure security and operational concepts align
A2 – Ensure safety and operational concepts align
A3 – Ensure controls are free from conflict
A4 – Ensure validation includes compatibility
A5 – Ensure security updates don’t compromise safety
A6 – Ensure functional updates don’t compromise safety
A7 – Ensure functional updates don’t compromise security
R1 – Ensure security risk are considered in hazard analysis
R2 – Ensure safety requirements are allocated
R3 – Ensure security requirements are allocated
R4 – Ensure security vulnerability updates are conducted
R5 – Ensure secure information is removed before disposal
V1 – Ensure safety requirements are validated and match current risk
V2 – Ensure security requirements are validated to vulnerabilities
Figure 8. Key Lifecycle Alignment Points
The yet to be published IEC61508.1 does reference newer security standards and the
consideration of malevolent actions during hazard and risk analysis through the safety lifecycle.
The Australian IT/6 Committee have recommended that security considerations, including
compatibility, be added to IEC61508 at key points in the safety lifecycle and hopefully these will
be in the final Edition 2 of the standard.
156
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
CONCLUSION
System Safety and Security are not the same in their values, methodology or their stability;
neither can they be treated independently if conflict is to be avoided in their mitigating controls.
As discussed in this paper the two key issues that limit the success of integrating safety and
security in the systems lifecycle: incompatibility with risk management; and possible conflicts
with mitigating controls. Using the safety LOPA technique may allow the determination of
probability of security control failure and resulting dangerous failure probability. The use of GSN
or similar techniques should be applied where safety and security controls may have conflicts.
This has also being used to develop more sound Security Cases [Lipson, Weinstock 2008].
Ensuring continued alignment of the dependence and compatibility of safety and security through
the lifecycle by is the key to their successful integration. Dangers of not treating safety and
security seriously together are:
x An increasing risk of successful attacks on infrastructure systems with safety functions;
x An increasing risk of mitigating security controls compromising safety functions somewhere
in their lifecycle; and
x The likely imposition of governmental controls on critical infrastructure protection if the
industry cannot demonstrate adequate support for information security in the systems they
supply, operate or maintain.
Benefits of integrating safety and security into the lifecycle are not only safer and more secure
systems but minimisation of the cost associated with late discovery issues in the implementation,
acceptance or support phases; building safety and security in from the start is essential.
REFERENCES
ANSI/ISA-99 (2007) Security Guidelines and User Resources for Industrial Automation and
Control Systems.
AS IEC 61508 Ed. 1 (1998) Parts 0 to 7, Functional safety of electrical/ electronic/
programmable electronic safety-related systems.
AS ISO/IEC 15408 Part 1-3 (2004) Information technology - Security techniques - Evaluation
criteria for IT security
AS/NZS ISO/IEC 27001 (2006), Information technology—Security techniques—Information
security management systems—Requirements
Brostoff, S., & Sasse, M. A. (2001, September). Safe and Sound: a safety-critical approach to
security. Position paper presented at the New Security Paradigms Workshop 2001,
Cloudcroft, New Mexico, USA.
Condon, Stephanie (2008) Cyberattack threat spurs US rethink on power grids. ZDNet.co.uk
Security threats Toolkit article, 15 Sep 2008
Hunter, B.R., (2006) Assuring separation of safety and non-safety related systems. In Proc.
Eleventh Australian Workshop on Safety-Related Programmable Systems (SCS 2006),
Melbourne, Australia. CRPIT, 69. Cant, T., Ed. ACS. 45-51.
Hall, L., (April 28, 2009) Police had to fill in forms and wait for David Iredale phone Tapes,
Article in the The Australian
157
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Ibrahim, L. et al, (2004) Safety and Security Extensions for Integrated Capability Maturity
Model. United States Federal Aviation Administration
IEC61511-3:2003 Functional safety – Safety instrumented systems for the process industry
sector. Part 3: Guidance for the determination of the required safety integrity levels.
ISO IEC/PAS 62443-3 (2008) Security for industrial process measurement and control –
Network and system security
ISO/IEC 27005 (2008) Information technology — Security techniques — Information security
risk management
IT Security Expert Advisory Group - ITSEAG (2006) Generic SCADA Risk Management
Framework, Australian Government Critical Infrastructure Advisory Council
Kelly, Tim P., Weaver, Rob A. (2004), The Goal Structuring Notation – A Safety Argument
Notation. Proceedings of the Dependable Systems and Networks 2004
Lipson, H., Weinstock, C. (2008) Evidence of Assurance: Laying the Foundation for a Credible
Security Case. Department of Homeland Security Build Security In website, May 2008.
Moore, A.P., Cappelli, D.M., Trzeciak, R. F., (May 2008) The “Big Picture” of Insider IT
Sabotage Across U.S. Critical Infrastructures. CMU/SEI-2008-TR-009
Nazario, J. (2007) Explaining the Estonian cyberattacks. ZDNet.co.uk Security threats Toolkit
article, 30 May 2007
NSW Deputy State Coroner, (07.05.2009) 1427/2006 Inquest into the death of David Iredale,
Office of the State Coroner of New South Wales
Richards, K. (2009) The Australian Business Assessment of Computer User Security: a national
survey. Australian Institute of Crime Reports Research and Public Policy Series 102
Smith, J., Russell, S., Looi, M., (2003) Security as a Safety Issue in Rail Communications. In
Proc. 8th Australian Workshop on Safety Critical Systems and Software (SCS’03).
SP 800-30 (2002) Risk Management Guide for Information Technology Systems, US National
Institute of Standards and Technology,
SP 800-82 (2008) Guide to Industrial Control Systems (ICS) Security. US National Institute of
Standards and Technology, Final public draft September 2008
Supreme Court of Queensland (2002)- Court of Decisions R v Boden, QCA 164 (10 May 2002)
Appeal against Conviction and Sentence
US-CERT, United States Emergency Response Team - http://www.us-cert.gov/
BIOGRAPHY
Bruce Hunter ([email protected]) is the Quality and Business Improvement
Manager for the Security Solutions & Services and Aerospace divisions of Thales Australia. In
this role Bruce is responsible for product and process assurance as well as the management of its
reference system and its improvement.
Bruce has a background in IT, systems and safety engineering in the fire protection and
emergency shutdown industry and has had over 30 years of experience in the application of
systems and software processes to complex real-time software-based systems.
Bruce is a contributing member of Standards Australia IT6-2 committee, which is currently
reviewing the next edition of the IEC61508 international functional safety standards series. Bruce
is also a Certified Information Security Manager and Certified Information Systems Auditor.
158
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
WHAT CAN THE AGENT PARADIGM OFFER SAFETY
ENGINEERING?
Louis Liu, Ed Kazmierczak and Tim Miller
Department of Computer Science and Software Engineering
The University of Melbourne
Victoria, Australia, 3010
Abstract
A current trend in safety-critical applications is towards larger, more complex systems. The agent
paradigm is designed to support the development of such complex systems. Despite this, agents are
having minimal impact in safety-critical applications.
In this paper, we investigate how the agent paradigm offers benefits to traditional safety engineering processes. We demonstrate that concepts such as roles, goals, and interactions narrow that gap
between engineering and safety analysis, and provide a natural mechanism for managing re-analysis
after change. Specifically, we investigate the use of HAZard and OPerability studies (HAZOP) in
agent-oriented software engineering. This offers a first step towards broadening the scope of systems
that can be analyzed using agent-oriented concepts.
Keywords: agent-oriented software engineering, safety-critical systems, safety analysis, HAZOP
1
INTRODUCTION
A current trend in safety-critical systems is towards systems that are larger, more complex and have
longer life-spans than their predecessors (Mellor, 1994). Many modern systems are characterised by
being autonomous and independent nodes distributed over a network, having multiple modes, and more
functionality than their predecessors (Milner, 1989). Further, such systems typically undergo numerous
upgrades and adaptations over their lifetime.
The multi-agent paradigm is well-suited to modelling and analysing such systems. Despite being tailored
for the development of complex distributed systems there has been little uptake of agent-oriented software
engineering (AOSE) methods in safety-critical systems development — either in research or in practice.
Current practice in safety engineering centres around processes that ensure that the hazards of a system
are identified, analysed and controlled in requirements, design and implementation (see for example
(Ministry of Defence, 1996; RTCA, 1992; IEC, 2003)). Hazard analysis forms a critical part of the
engineering of safety-critical systems and there are numerous techniques reported in the literature for
conducting such hazard analysis. These analysis methods are predominantly team-based and rely on
documented accident analyses from similar systems and the ability and experience of engineers to predict
potential accidents.
In this paper, we discuss how the agent paradigm offers benefits to traditional safety engineering processes. We demonstrate that concepts such as roles, goals, and interactions narrow that gap between
engineering and safety analysis, and provide a natural mechanism for managing re-analysis after change.
Specifically, we investigate the use of HAZard and OPerability studies (HAZOP) in agent-oriented software engineering, which we overview in Section 3.
The goal of our research programme is to develop analytical methods for assuring safety in multi-agent
systems. In Section 4, we illustrate a way of analysing multi-agent systems based on the idea of interactions, or how to perform a HAZOP study based on interactions. To do this we introduce the idea of an
159
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
interaction map and show how to adapt the HAZOP to interaction maps. We then go on to show how the
role and goal paradigm found in methodologies such as Gaia (Zambonelli et al., 2003) and ROADMAP
(Juan et al., 2002) can be used to improve the hazard identification and analysis process by providing direct feedback from safety analysis to design, how roles and goals can limit changes and how interaction
maps lead naturally to quantitative safety analysis similar to Mahmood and Kazmierczak (2006) in the
form of Bayesian accident networks. These improvements are used to reduce the total effort spent on
manual identification and analysis, and to provide feedback into the system design.
2
AN ILLUSTRATIVE EXAMPLE
To illustrate our ideas, we consider a simple fruit packing and palletising system. Different types of fruit
are conveyed by means of several special conveyor systems to a central sorting and packing area. Each
conveyor—here called a fruit line —transports a number of different types of fruit. Here a centralised
sorting, packing, palletising and storing system sorts the fruit into boxes for shipping to supermarkets or
for further processing.
The system must implement the following four features:
A.
A packing feature, in which the system must select quality pieces of fruit, ignoring damaged and
bruised fruit, and pack the selected fruit into boxes without bruising or damaging the fruit;
B.
A palletising feature, in which the system must place approximately 640kg of fruit onto a pallet in
an 8 × 8 × 5 symmetrical arrangement of 2kg boxes of fruit;
C.
A wrapping and nailing feature, in which the system wraps the completed pallet in a protective
sheet and nails the sheet to the pallet; and
D.
A storing feature in which the system must move the completed pallet to a cool store.
The performance requirements on the system are that it should be able to pack 6 pallets per hour, and
to be available for 166.5 hours per week, leaving 30 minutes per working day for routine cleaning,
maintenance and recalibration. It is anticipated that humans will be required to interact with the fruit
packing system, thus safety will be important.
An agent-oriented analysis using a role based method such as Gaia or ROADMAP might arrive at the
following decomposition of the problem. A main goal that is to sort, palletise and store fruit and a
decomposition of the main goal into four key subgoals: (1) to sort the fruit; (2) to pack a 2kg box of fruit;
( 3) to palletise the boxes by placing enough boxes on the pallet to make up the 640kg pallet; and ( 4) to
store the completed pallets in a cool store. Each goal is decomposed further into one or more roles. The
roles are shown schematically in Figure 1 as stick-figures.
3
HAZARD AND OPERABILITY STUDIES
Traditional non-agent approaches to safety analysis rely heavily on constant hazard identification and
analysis during all phases of the system development life-cycle. Hazards are the sources of potential
accidents and the aim in safety engineering is to identify and control the hazards of a system.
There are many different techniques for hazard analysis in the literature but the most often used are:
Exploratory Methods that aim to simply explore the system and its behaviour in order to identify hazards. Prominent among the exploratory methods are HAZOP studies that we will investigate further
below, and SHARD (Fenelon et al., 1994).
Causal Methods that work backwards from Hazards to their possible causes. Prominent among causal
methods is Fault Tree analysis (Leveson and Shimeall, 1991) that grows an AND-OR tree of events
back from each hazard to system-level events.
160
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Safely
Pack and
Store 6
Pallets/Hour
Sort the
Fruit
Sorting
Role
Available for 99%
(or 166.5 hours)
per week.
Sort and
Store Fruit
Pack the
Fruit into
Boxes
Packing
Role
Place on
Pallet, Wrap
and Staple
Palletising
Role
Wrapping
& Nailing
Role
Store the
Fruit
Storing
Role
Figure 1: A typical role-goal model for the fruit palletising system. The goal of packing and storing the
fruit is decomposed into the four roles of packing, palletising, wrapping, and storing.
Consequence Methods that begin by identifying system level events and then investigating the consequences of those events. Prominent among consequence methods are Failure Modes and Effects
Analysis (Palady, 1995) and Event Tree Analysis.
Here we investigate the use of HAZOP for conducting hazard analysis on the fruit packing system described in section 2 above. HAZOP studies are a team-based method for identifying and analysing the
hazards of a system. Originally developed for the chemical engineering industry (Kletz, 1986), it has
been applied in many other engineering domains, including software (Ministry of Defence, 2000).
Hazard and Operability studies are a well-established technique for Preliminary Hazard Analysis (PHA)
whereby a specific set of guide-words is used to explore the behavior of a system and the causes and
consequences of deviations. For example, one HAZOP guide-word is “after”, which prompts the analyst
to explore the consequences of a component performing some action or sending some message after a
key point in time.
HAZOP expects a sufficiently detailed understanding of the system such that the system components and
their attributes are specified as either a system model or a set of requirements. A team of analysts selects
each component and interconnection in turn, interprets the guide-words in the context of the system and
applies the HAZOP guide-words to specific attributes of the component in the study.
The output from a HAZOP study is a list of hazards, their causes and the consequences of each hazard.
According to the HAZOP standard (Ministry of Defence, 2000), the output of a HAZOP study must
include the following:
(1) Details of the hazards identified, and any means within the design or requirements model to detect
and mitigate the hazard;
(2) Recommendations for mitigation of the hazards and their effects based on the team’s knowledge
of the system and the revealed details of the hazard;
(3) Recommendations for the later study of specific aspects of the design when there are uncertainties
about the causes or consequences of a possible deviation from design intent.
What might a HAZOP look like if the packer role is implemented by an agent in the form of a moving
pick-and-place robot? From the domain, the types of accidents that may occur involve excess loss of
fruit leading to substantial financial losses or one of the moving robots colliding and injuring a human.
As an example of the analysis of a palletising and wrapping agent for the guide-words “before” and
“after” is shown in Table 1.
161
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Guide-word
Interpretation
Possible Cause
Consequences / Im-
Indication / Protec-
Before
Agent performs the
The agent fails to
plication
Boxes of fruit may be
tion
nailing of the sheet
identify that the pallet
damaged as they are
before the pallet is
is not filled.
moved to the pallet.
Recommendation
...
ready.
Before
...
Storeman (human being) is injured through
interacting with a pallet being nailed by the
nailing agent.
After
The nailing agent per-
The agent fails to
Boxes of fruit may be
forms its action af-
identify that the pallet
damaged if the pallet
ter the pallet has been
has left.
is moved without the
moved.
...
protective covering.
Humans
injured
The status of the pal-
through an interaction
let and the proximity
with the wrapping and
of humans to the agent
nailing agent when it
must be checked.
...
is triggered late.
Table 1: Partial results from a HAZOP applied to the wrapping and nailing ability in the palletiser
example.
Despite HAZOP’s simplicity there are several drawbacks in practice. The level of design details, the
interpretation of guide-words, and output for the HAZOP study result in a large amount of documentation
for even small systems. The result is often a table of information accompanying a bulk of paperwork
that becomes unmanageable in situations where changes to requirements, design, and technology occur
frequently (Mahmood and Kazmierczak, 2006). However, HAZOP is used considerably by industry
practitioners. In the remainder of this paper we show that the multi-agent system paradigm presents an
opportunity to exploit agent-oriented concepts and techniques to complement and improve HAZOP-style
safety analysis.
4
APPLYING HAZOP IN MULTI-AGENT SYSTEMS
HAZOP has been adapted to a number of different software analysis and design paradigms by interpreting
components and attributes according to the paradigm. For example, the HAZOP standard (Ministry
of Defence, 2000) includes a guide to interpretation. To adapt HAZOP to the analysis of multi-agent
systems requires an interpretation of the guide-words and attributes. Our first step therefore is to adapt
HAZOP for the analysis of multi-agent systems.
4.1
HAZOP Based on Interactions
Traditional non-agent based HAZOP is based on identifying components and their attributes. In the
original HAZOP the components were pipes, valves and tanks and the attribute was flow. In systems
HAZOP, the components can be hardware units or software modules such as packages or classes and the
attributes are signals, messages or data flows depending on the analysis or design paradigm used. The
problem for multi-agent systems is that they are often complex systems. Complex systems are generally
viewed to have at least the following characteristics (Newman, 2003):
162
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
(1) Complex systems are composed of a large number and diversity of components.
(2) Components in a complex system interact with each other. The interactions between components
may be non-linear and may vary in strength.
(3) Complex systems have operations of formation by which smaller components can be formed into
larger structures. Complex systems also form decomposable hierarchies. Operations in different
parts of a hierarchical structure may occur in different time scales.
(4) The environment in which the system operates and the demands of the environment influence the
behavior and evolution of a complex system.
The key point in this view is the emphasis on interactions between components, and not on the components themselves. This observation hints at a HAZOP analysis based on interactions. HAZOP does not
explicitly guide the analyst toward interactions, but rather relies on the analyst being able to understand
or imagine what interactions might arise and how they may lead to hazards. Leveson (2004) has made
the connection between complex systems, interactions and accidents, but has not used HAZOP in the
analysis.
4.2
Interaction Maps
We begin by developing an analysis notation that makes interactions explicit. Let us define “interaction”
in the context of a multi-agent systems HAZOP. First we will need to define the key elements necessary
for our analysis: actors, abilities and resources.
Actors are entities that perform the system functions and in this paper are either roles or agents. To carry
out their tasks actors require and produce resources. Abilities are the actors’ key functional capabilities,
expressed as a set of tasks. Resources are defined as everything else in the system other than actors and
abilities. There may be different types of resources such as physical resources from the environment such
as fruit, conveyors and pallets in our example, or communication channels between actors. To achieve a
task an actor performs one or more actions, for example, sending a message, actuating a device, accepting
a task, or calling a software function in another actor.
Definition 4.1 Given two actors or resources A and B we say that A interacts with B if and only if A
influences the actions of B or B influences the actions of A.
Some observations are necessary regarding Definition 4.1. The first is that the definition assumes a
reciprocal relationship between actors. An actor’s behaviour is characterised by the actions it performs,
thus if A influences the actions of B then B’s actions depend on A and the converse. We include in our
definition of interaction the case where A influences the actions of B but not the converse.
The second is that interactions may be transitive but need not be. If A interacts with B, and B interacts
with C then A does not necessarily interact with C. If B influences the behaviour of C because of the
influence of A, then we consider this an independent interaction. Further, interactions can be internal
so that, for example, A can change its own state without outside interference, influencing its own future
behaviour.
The interaction between actors and resources describe how actors influence each other and how their
operational environment influences them. Three types of interaction can exist in a system: (1) an actor
interacts directly with the environment (physical resource); (2) actors interact with each other via a
resource, for example, a communication channel; and (3) resources interact with other resources.
We use the idea of interaction maps to identify and record the network of interactions that exist between
actors and resources, as well as the abilities that agents have to interact with resources. Interaction maps
are networks in which there are three types of entity:
(1) resources are nodes drawn in rectangular boxes;
(2) abilities are nodes drawn in hexagonal boxes; and
163
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
(3) actors are collections of nodes and interactions.
Edges in the network represent interactions. To be well formed an interaction map must always have a
resource node between any two ability nodes.
Figure 2 gives an example of an interaction map for the stacker and palletiser roles. Using the interaction
map we can see that the two actors—the stacker and palletiser—roles, interact indirectly via the the
“Completed Pallet” resource.
Nails
Palletiser
Nail Sheet
to Pallet
Plastic Covered
Boxes
Covered and
Nailed Pallet
Wrap
Sheet
around
Pallet
Protective Sheet
Completed Pallet
Storing
Agent
Fruit
Fill Box
with Fruit
Packer
Filled Box
Stack Box
on Pallet
Box
Pallet
Figure 2: An interaction map for the packer and palletiser roles.
Figure 2 also illustrates how interaction maps define interaction within actors, for example, the packer
role consists of the internal resources needed to cover and nail the protective sheet to the pallet as well
as the abilities to achieve the goal. Interaction maps show the structure of the interactions in the system.
Interactions maps exist at a higher level of abstraction than other methods of describing interactions
such as collaboration diagrams in UML. By identifying the interactions, the analyst can hypothesise
which actors can interact to cause accidents and even identify the boundary conditions of the accident.
Further, interaction maps help the analyst to uncover any causal factor of the accident, and by examining
the interaction, may find ways of mitigating or stopping an accident-causing interaction from occurring
(Mahmood and Kazmierczak, 2006).
Methodologies such as Gaia and ROADMAP explicitly aim to identify the interactions in systems at an
early stage of development. We argue that this makes deriving an interaction map a straightforward task
given a system specification.
As an example, consider a human interacting with a covered pallet in order to take it to the cool store.
The analyst notes that covered pallets are the result of the Packer actor undertaking its “Wrapping and
Nailing” ability, which can be hazardous if the human comes into proximity with the nailing device. To
mitigate or avoid such an undesired interaction, a gate can be used to prevent humans from accessing
pallets until the nailing has ceased. This implies that humans interact with the gate, and the hazardous
interaction between humans and the pallet is avoided.
While we do not explore this idea further in this paper, it is possible to derive causal Bayesian networks
from certain interaction maps to quantify risk. This is done by identifying and modelling the possible
states of a resource during its lifetime and the possible states that an ability goes through during its execu-
164
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
tion. The set of states of each actor, ability and resource and their associated probability distributions can
be thought of as random variables; for example, see Figure 3. The direction of the links in the network
will depend on how the actors, resources, and abilities interact.
States
of AA
Ability AB
Resource RA
Interaction Map
Resource RB
States
of RA
Ability AA
Bayesian Network
States
of RB
States
of AB
Figure 3: An interaction map and its corresponding Bayesian network.
If the states of the resource RA can be observed then the probability of being in given state at time t can
be estimated. The same is true of the abilities. Alternatively, these can be measured during development.
4.3
Interpreting HAZOP Guide-words
Our approach to HAZOP uses the interaction map as well as the guide-words to guide the analysis. The
analysis explores the effects of an actor’s ability being applied incorrectly to a resource, or to the incorrect
resource. The analysis uses actors as the system components of the study, and the actor’s abilities as the
attributes to which guide-words are applied.
To apply HAZOP using interaction maps, we have to identify the interpretation of each of the guidewords with respect to interaction maps. Table 2 specifies our interpretation of each of the existing HAZOP guide-words for interaction maps. One can see that the aim of the guide-words is to investigate the
effect of an actor incorrectly applying one of its abilities on the resources in the system.
Guide-word
None
More
Less
Part of
Other than
As well as
Before
After
General Interpretation
The ability does not influence the resource.
The ability influences the resource more than intended.
The ability influences the resource less than intended.
The ability influences the resources only partly as intended, or only part of the ability
is exercised on the resource.
The ability influences the resource in a way other than intended; or, the ability influences a resource other than the intended one.
The ability influences the resource as intended, but influences additional resources.
The ability influences the resource before intended.
The ability influences the resource after intended.
Table 2: HAZOP Guide-words interpreted on the abilities of an actor.
The interpretation of the guide-words is quite general at this point. To apply them to a specific system,
their interpretations must be further refined depending on the context in which they are applied. As an
example, consider the ability of the palletiser role to nail the plastic sheet to the pallet. Table 3 outlines
one interpretation of the guide-words for that ability.
Using these guide-word interpretations, a simple method for the analysis can be given as follows.
1. Select an actor— role or agent— as the basis for study;
165
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Guide-word
None
More
Less
Part of
Other than
As well as
Before
After
Specific Interpretation
The palletiser does not nail the sheet down.
The palletiser uses too many nails.
The palletiser uses too few nails.
The palletiser does not nail down the entire sheet.
The palletiser nails a resource other than the sheet.
The palletiser nails the sheet and a resource other than the sheet.
The palletiser nails the sheet down earlier than intended.
The palletiser nails the sheet down later than intended.
Table 3: HAZOP Guide-words interpreted on the ability of the palletiser role to nail the plastic sheet to
the pallet.
2. For each ability of the actor in turn, interpret the meaning of every guide-word in the current
context, and explore the effects of the guide-word on each node (resource) connected to that ability
in the interaction map.
3. Document the effect of every guide-word, and recommend a mitigation strategy if that effect results
in a hazard.
As an example, again consider the ability of the palletiser role to nail the plastic sheet to the pallet. Using
the interpretations of the guide-words from Table 3, we explore their effects, resulting in the observations
about its effect on the pallet in Table 4.
Guide-word
None
More
Less
Part of
Other than
As well as
Before
After
Effect on Pallet
There is no sheet on the pallet, perhaps resulting in the hazard of fruit on the workshop floor.
No hazard.
The sheet is not secure, perhaps resulting in the hazard of fruit on the workshop floor.
The sheet is not secure, perhaps resulting in the hazard of fruit on the workshop floor.
A number of possible hazards.
A number of possible hazards.
The palletiser nails the sheet down before it is filled with fruit, possibly resulting in
the hazard of fruit on the workshop floor (and damaged fruit) as it attempts to load
more onto a covered pallet.
The palletiser nails the sheet down as the human storing agent attempts to pick it up,
resulting in an injury to the human agent.
Table 4: The result of a HAZOP using the guide-words on the ability of the palletiser role to nail the
plastic sheet to the pallet.
4.4
Design Feedback
An integral part of the analysis process is to use the HAZOP study to refine the analysis model. Each
row of the HAZOP table corresponds to a deviation from intent applied to an ability and a possible
consequence of that deviation. For example, the second row of Table 1 details a possible consequence of
the guide-word “after” applied to the nailing ability of the packer role.
The result of this analysis is that the packer role has a hazard associated with it through its nailing ability.
Further, we can use the interaction map to gain insight into the potential interactions leading to the hazard.
How can the information in the HAZOP be used to refine the model?
166
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
The HAZOP table identifies the hazards but the interaction map shows what elements of the current
model must interact to lead to the hazard. The model can be refined to mitigate or avoid such an interaction. There are several options on how to refine the model to do this: (1) we can manipulate the
resources; that is, altering, adding or deleting resources, to control the hazard; or (2) we can manipulate
the abilities of the actor to control the hazard.
In Table 1, we wish to change the interaction between the storing role (played by a human agent) and the
palletiser. An example of changing the resources is shown in the interaction map in Figure 4, in which
we add a guard under the control of the palletiser and only allow the storing role access to the pallet if
the palletiser actor deems it safe.
Nails
Palletiser
Nail Sheet
to Pallet
Protective Sheet
Plastic Covered
Boxes
Covered and
Nailed Pallet
Wrap
Sheet
around
Pallet
Guard
Storing
Agent
Figure 4: Modifying the palletiser by the addition of a resource and the alteration of an ability.
We may also be able to control the interaction with addition of an additional ability to the palletiser actor.
The updated role/goal model may appear as in Figure 5 where a new means of implementing the safety
goal has been added as the result of the HAZOP study.
Pack and
Store 6
Pallets/Hour
Available for 99%
(or 166.5 hours)
per week.
Sort the
Fruit
Pack the
Fruit
Sort and
Store Fruit
Safely
Add a resource - a guard
- to prevent the palletiser
interacting directly with
the store agent while
nailing the sheet.
Palletise,
Wrap and
Nail.
Store the
Fruit
Figure 5: Updated role/goal model resulting from the analysis of the second row of the HAZOP table.
In general each row of the HAZOP table can be used to extend the role/goal model in this way.
5
HAZOP BASED ON INTERACTIONS AND SYSTEM EVOLUTION
Most systems undergo some form of evolution, either to adapt them to situations that were not imagined
at the time of their design, or to add additional features and functions desired by users. Adaption to
new situations is also a key feature of multi-agent systems, therefore safety analysis methods must be
able to cope with change. Unfortunately, traditional non-agent HAZOP incurs a large overhead when
dealing with changes to existing systems as much of the HAZOP must be reworked. For example, the
HAZOP standard (Ministry of Defence, 2000) specifies that for any change in the system design the
entire HAZOP study should be redone.
Interactions maps coupled with the role/goal analysis of multi-agent system requirements provide clear
167
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
boundaries on what must be re-analysed in the event of a change.
5.1
Isolating Changes in the Role/Goal Model
The hierarchical nature of the models means that constraints and quality goals in lower-level models must
be consistent with the higher-level models, but this also means that changes at the lower-level models are
isolated from the higher-level models.
If we change a role but not a goal, then the new role must also meet the goal, so the goal does not need
to be reanalysed. The role and its interaction, however, must be re-analysed. If we change an agent but
not a role, then the agent’s externally observable interactions are the same as those for the role. In this
case, if the new agent introduces a new external interaction then it needs to be reflected back up to the
role model. Otherwise a HAZOP study on the agent model alone will be sufficient.
If we change a role and an agent, then the system model will still be hierarchical. In this case we can
always perform a HAZOP study on the role model first before performing a HAZOP on the agent models
that implement the role. Observe however that, if the agent model belongs to the role, then a change to
the role model will imply a change in agent model anyway.
If the interaction map is correct then it will tell us what needs to be updated. If we are unsure what needs
to be updated, then a HAZOP on the local change will indicate if there are new interactions or resources
introduced into the system.
As an example, consider a model in which the packer role being played by one agent evolves into a
design in which the role is played by two agents (based on the role’s abilities): one agent to place the
sheet on the box, and one agent to nail the sheet down. The role specification has not changed in this
case, and neither has the interaction map associated with the role model. Considering this, the HAZOP
study does not need to be re-performed at this level. The agent model, and its related interaction map,
have changed. As a result, the HAZOP study needs to be performed at this level.
5.2
The Key is the Interaction Map
In our analysis, the interaction maps specify which roles interact with which other actors, and through
what resources. Consider again the example of changing the agent model such that the packer role is
played by two agents instead of one.
The HAZOP study must be redone on the two agents that now implement the role, but not the role
provided that no new externally observable interactions have been added.
What other actors in the system need to be re-analysed? The interaction map can be used to answer
such a question. If we study the interaction map in Figure 2, we see that the only abilities affected are
the palletiser’s wrapping ability and the palletiser’s nailing ability. The external interactions in Figure 2
with the packer and the storing agent remain unchanged. We conclude that this change requires only the
two agents implementing the palletiser role to be re-analysed.
It is straightforward to then identify the benefits of exploiting the hierarchical nature of many agent
methodologies, and the interaction map: we can significantly reduce the burden on the safety engineers
during design evolution by helping them to systematically identify which parts of a design must be
re-analysed after a change. While this is possible using other development methodologies, the unique
factor in the agent paradigm is that it forces developers to consider goals and interactions early in the
development life-cycle.
168
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
6
RELATED WORK
Several authors have integrated safety analysis into agent systems. Dehlinger and Lutz (2005) propose a
product-line approach to requirements by developing requirements schemata and reusing these to capture
shifting requirements in a multi-agent systems. Dehlinger and Lutz show how to group requirements so
that the impact of change is minimised. Such an approach can be applied to safety requirements, but
they do not discuss this. Feng and Lutz (2005) propose a way of handling safety analysis by proposing a
bi-directional safety analysis for product-line multi-agent systems that extends Software Failure Modes,
Effects and Criticality Analysis (FMECA) and Software Fault Tree Analysis (FTA) to incorporate multiagent systems. They show how to generate safety cases and constraints in the Gaia role model. The aim
of the product-line approach is to increase the reusability of safety analysis. Our work shares a similar
motivation, however, we do not use product lines.
Giese et al. (2003) propose a way to ensure safety in self-optimized mechatronics system. They do not
provide detail analytical methods to generate safety cases, but instead discuss how to ensure safety in
system hierarchies with safety cases already provided by domain safety experts.
Bush (2005) proposes an extension of traditional HAZOP studies for the I* development model. Our
work is closely related, however, Bush applies HAZOP analysis on goals. We believe that abilities and
resources are useful for safety analysis, because goals are the conditions that agents desire, whereas the
abilities and resources outline how to achieve those goals — something that we believe is closer related
to safety.
7
CONCLUSIONS AND FUTURE WORK
In this paper, we have demonstrated that existing techniques such as HAZOP studies can be used with
agent oriented software engineering methodologies with little amount of extension. We demonstrate that
the introduction of interaction maps however can greatly ease the burden of re-analysis when changes to
the system model occur. Dealing with change is perhaps more important for multi-agent systems than for
traditional non-agent systems as their very design is often aimed at adapting to changing circumstances.
To this end the use of interaction maps becomes vital as they help to identify the elements of the multiagent system—roles, goals, and agents— that need to be re-analysed in the event of changes to the system
model. Despite greatly easing the burden of maintaining safety by re-analysing the system, if change is
perpetual then the constant re-analysis of safety becomes a tiresome and costly overhead.
The question is whether or not safety, once analysed, can be maintained by the system itself, even in the
presence of constant change and evolution to the agents and even the roles. The goal of our research
programme is to develop methods for assuring safety in multi-agent systems even in the presence of
constant system evolution and adaptation. Our research program involves the use of accident knowledge
to allow agents to perform safety analysis of their own behaviour. This will allow agents to change their
behaviour at runtime after taking into consideration the cause of accidents involving other agents, and is
the subject of current and future research. It is hoped that our research program will aid in the uptake of
the agent paradigm in safety-critical systems.
References
Bush, D., August 2005. Modelling support for early identification of safety requirements: A modelling
support for early identification of safety requirements: A modelling support for early identification of
safety requirements: A preliminary investigation. In: Fourth International Workshop on Requirements
for High Assurance Systems (RHAS‘05 - Paris) Position Papers.
Dehlinger, J., Lutz, R. R., 2005. A product-line requirements approach to safe reuse in multi-agent
systems. In: International Conference on Software Engineering. Vol. 3914. pp. 1–7.
169
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Fenelon, P., McDermid, J., Pumfrey, D., Nicholson, M., 1994. Towards Integrated Safety Analysis and
Design. ACM Applied Computing Review 2 (1), 21–32.
Feng, Q., Lutz, R. R., 2005. Bi-directional safety analysis of product lines. Journal of Systems and
Software 78 (Issue 2), 111–127.
Giese, H., Burmester, S., Klein, F., Schilling, D., Tichy, M., 2003. Multi-agent system design for safetycritical self-optimizing mechatronic systems with uml. In: OOPSLA 2003 - Sec- ond International
Workshop on Agent-Oriented Methodologies, Anaheim, CA, USA. pp. 21–32.
IEC, 2003. IEC 61508 Functional Safety of Programmable Electronics Safety-Related Systems. International Electrotechnical Commission.
Juan, T., Pearce, A., Sterling, L., 2002. ROADMAP: Extending the Gaia methodology for complex
open systems. In: Proceedings of the First International Joint Conference on Autonomous Agents and
Multi-Agent Systems. ACM Press, pp. 3–10.
Kletz, T. A., 1986. HAZOP & HAZAN notes on the identification and assessment of hazards. The Institution of Chemical Engineers, London.
Leveson, N. G., April 2004. A new accident model for engineering safer systems. Safety Science 42 (4).
Leveson, N. G., Shimeall, T. J., July 1991. Safety verification of Ada programs using software fault trees.
IEEE Software 8 (4), 48–59.
Mahmood, T., Kazmierczak, E., December 2006. A knowledge-based approach for safety analysis using
system interactions. In: Asia Pacific Software Engineering Conference, APSEC’06. IEEE Computer
Society Press.
Mellor, P., 1994. CAD: Computer Aided Disaster. High Integrity Systems 1 (2), 101–156.
Milner, R., 1989. Communication and Concurrency. International Series in Computer Science. Prentice
Hall.
Ministry of Defence, 1996. Defense Standard 00-56: Safety Management Requirements for Defence
Systems.
Ministry of Defence, 2000. Defense Standard 00-58: HAZOP Studies on Systems Containing Programmable Electronics. 2nd Edition.
Newman, M. E. J., 2003. The structure and function of complex networks. SIAM Review 45, 167–256.
Palady, P., 1995. Failure Modes and Effects Analysis. PT Publications, West Palm Beach Fl.
RTCA, December 1992. RTCA DO-178B: Software Considerations in Airborne Systems and Equipment
Certification. RTCA Inc.
Zambonelli, F., Jennings, N. R., Wooldridge, M., 2003. Developing multiagent systems: The Gaia
methodology. ACM Transactions on Software Engineering Methodology 12 (3), 317–370.
170
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
COMPLEXITY & SAFETY: A CASE STUDY
Author
George Nikandros, Chairman aSCSa, BE (Electrical)
INTRODUCTION
Despite correct requirements, competent people, and robust procedures, unsafe faults
occasionally arise. This paper reports on the outcomes of an investigation into a series of
related events: a series of events that involves a railway level crossing. Whilst the direct cause
of the failure was defective application control data, it was a defect that would be difficult to
foresee and if foreseen, to test for. The last failure event occurred after the correction was
supposedly made. The correction was made as a matter of urgency.
To understand the underlying complexity and safety issues, some background knowledge in
relation to active level crossing controls i.e. flashing lights and boom gates and railway
signalling is required. The paper therefore includes a description of the operation of the
railway level crossing controls and the railway signalling associated with the case study.
The official incident report is not in the public domain and therefore this paper has been
prepared so as to not identify the location of the series of incidents, the identity of the
organisations or the people involved.
THE UNSAFE EVENTS
There being three events, with the same unsafe outcome, in that a driver of a train was
presented with a PROCEED aspect in the same trackside signal when the actively controlled
crossing was open to road traffic i.e. the flashing lights were not flashing and the boom gates
were in the raised position. Had the driver not observed the state of the active level crossing
controls and proceeded on to the crossing, a collision with a road vehicle or pedestrian would
have been very likely; the crossing is a busy crossing with some 4300 vehicles per day and
500 pedestrians per day.
The first occurrence of this outcome occurred some seventeen days after the initial
commissioning of a new signalling system and was not given the appropriate classification for
investigation and action when logged. The second occurrence occurred two days later, a
Saturday. This time the correct classification was made and actions were immediately
initiated i.e. designer engineers were called in to identify and fix the problem. The third event
occurred five days after the second occurrence and after the design flaw was supposedly
removed.
THE RAILWAY CONTROL SYSTEM
Level Crossing Controls
The key aim of active level crossing controls is to provide the road crossing user sufficient
warning that a train is approaching and where boom gates are provided, to close the crossing
to road traffic before the train enters the crossing. Once the train has passed, the crossing
171
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
needs to be reopened with minimal delay. If a second train approaches the crossing when
already closed, the crossing is held closed. Figure 1 shows the typical train trigger points for
controlled rail crossings for a unidirectional line.
Figure 1: Typical train trigger points – one direction only
Once opened the crossing needs to remain open for a sufficient time so as to ensure that the
appropriate warning is again given to the road users.
Particularly for busy roads, a level crossing should not be closed unnecessarily i.e. if a train
stops short of the crossing at a signal displaying a STOP aspect for a time, then the crossing
should be opened for road traffic. The signal should not then display a PROCEED aspect,
until the appropriate warning is again given to the road crossing users.
However level crossings are rarely located to make life simple. Having multiple tracks and
locating a level crossing in the vicinity of a station stop significantly adds complexity. More
than one train may approach the crossing simultaneously from both directions and trains may
stop for long periods of time at the station platforms.
Another complexity which usually occurs in urban areas is the use of road traffic control
signals. There needs to be coordination (an interlock) between the road traffic control signals
and the level crossing control signals; it would be unsafe to have a “GREEN” aspect in a road
traffic signal for road vehicles to travel through the level crossing with the level crossing
controls in the closing or closed states. The approach of a train needs to be detected earlier to
enable the road traffic control system to cycle in sufficient time so that the signals allowing
the road traffic across the level crossing to return to RED prior to the active level crossing
controls begin closing the crossing. The road traffic signals also need to provide sufficient
warning to the road users.
Figure 2 shows the schematic of the level crossing of interest. It contains all the complexities
mentioned.
172
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Point where rear of train needs
to pass before No 4 Signal
changes to PROCEED
1 Signal
2 Signal
3 Signal
4 Signal
Point where rear of train needs to
pass before signals leading to
No 4 Signal change to PROCEED
Signal of interest.
There is 2m
between No 4
Signal and the
edge of road
Controlled road intersection
Figure 2: Layout Schematic for Level Crossing
Rail Signalling Controls
The aim of the signalling system is to safely regulate the movement of trains on a railway
network. The signalling system ensures that:
x
x
x
the path ahead is clear, and
there is no other path set or can be set for another train to encroach the path set, and
any active level crossing controls are primed to operate so as to provide the
appropriate warning to the road crossing user and close the crossing where boom gates
are provided.
Only when all these conditions are satisfied is an authority to proceed is issued.
For the location of interest, the authority to proceed is conveyed via a PROCEED aspect in a
trackside colour light signal.
Signals may be controlled or automatic. Controlled signals are signals which display a STOP
aspect until commanded otherwise by a Train Controller (the person responsible for managing
the movement of trains on the railway network). Although the Train Controller commands a
signal to PROCEED, it only displays a PROCEED aspect if the signal interlocking system
deems it is safe to do so. Controlled signals automatically return to STOP after the passage of
the train.
173
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Automatic signals are signals which are automatically commanded to PROCEED by the
signal interlocking system i.e. there is no participation of the Train Controller; the Train
Controller can neither command them to STOP nor PROCEED. Some controlled signals have
an automatic mode which the Train Controller can select and deselect as necessary.
Of the signals of interest, 3 Signal and 4 Signal are automatic signals, 1 Signal and 2 Signal
are controlled signals.
If there are no trains in the vicinity, 3 Signal and 4 Signal will each display a PROCEED
aspect. Figure 1 depicts an example of this condition; the signal near the crossing represents 4
Signal.
As a train, Train A, approaches 4 Signal, the road traffic controls are commanded to cycle,
and after the allowed cycle time has elapsed, the flashing lights are activated to warn the road
crossing users and after the required warning time has elapsed, the boom gates descend to
close the crossing.
Whilst Train A remains on the approach to 4 Signal the crossing remains closed. When the
Train A passes 4 Signal, 4 Signal is automatically placed at STOP and no other train can
approach 4 Signal at STOP until the rear of Train A passes the point when the signals
applying to 4 Signal are permitted to display a PROCEED aspect (see Figure 2); this point is
know as the overlap limit. The overlap is the safety margin provided at signals should the
train driver misjudge the train’s braking. Once the rear of Train A clears the level crossing
and there is no other train approaching the crossing on the other tracks, the crossing control
commences its opening sequence. When the crossing is opened, the road traffic signals
resume their normal cycle. It is important to note that the rail control system influences the
road traffic signals; the road traffic signals do not initiate any action in the rail control system.
Once the rear of Train A is beyond the overlap limit for 4 Signal, anyone of the signals
applying towards 4 Signal, assuming no other trains are in the vicinity, can be placed at
PROCEED, thus allowing another train, Train B to approach 4 Signal; this time however 4
Signal is at STOP (Figure 3).
Figure 3: Level crossing operation for following trains
174
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Because of the close proximity of the 4 Signal to the level crossing, the level crossing needs
to be closed to safeguard the road crossing users and the train in the advent of a braking
misjudgement by the train driver.
If Train B is detained at 4 Signal when at STOP for a sufficiently long enough period, for this
case 35 seconds, the crossing opening sequence commences to allow road traffic flow to
resume. Should the conditions to allow 4 Signal to display a PROCEED aspect be satisfied
after the crossing is commanded open, then 4 Signal will remain at STOP until the crossing
opening sequence is completed, the minimum road open time conditions are satisfied, the road
traffic signals are again cycled, sufficient warning that the crossing is closing is given to the
crossing users and the boom gates have lowered.
If however Train B is detained at 4 Signal when at STOP and 4 Signal subsequently changes
to display a PROCEED aspect i.e. the rear of Train A has passed the overlap limit for 3
Signal, within 35 seconds, the crossing remains closed until the rear of Train B clears the
crossing, irrespective of how long the train takes.
When the Train A passes 3 Signal, 3 Signal is automatically placed at STOP. When the rear
Train A passes the overlap limit for 3 Signal, 4 Signal is automatically commanded to display
a PROCEED aspect, but only does so if it is safe i.e. there is no train detained at 4 Signal with
the level crossing open.
SYSTEM ARCHITECTURE
The signal interlocking system that performs the safety functions has a distributed
architecture. The system consists of programmable logic controllers located geographically
along the railway and interconnected with point to point serial data links, such that, referring
to Figure 4, data that needs to go from Controller C to Controller A needs to go through
Controller B.
Figure 4: Distributed architecture showing area of control
175
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
It is important to note, that the architecture is not a master-slave architecture, where the slave
controllers perform an input/output function as directed by the master controller. For this
application the interlocking function is distributed over each of the controllers.
Controller Technology
The controllers are commercial-off-the-shelf (COTS) products specifically developed for
railway signalling interlocking applications. All of the controllers are of the same type and
version.
Each controller maintains a time-stamped event log. However the controller clocks are not
synchronised.
The technology is modular and programmable. It uses plug-in modules for connectivity to
different types and quantities of inputs and outputs. Thus only the hardware actually required
for an application needs to be installed. The technology is supported by graphical tools for
application design, simulation and testing. The suite of tools is used to define the modules and
logical operation of the system and verify and validate the application logic.
To satisfy the safety requirements the controllers operate on a fixed, nominally 1 second time
cycle. Consequently an input change will not be immediately detected, however there is
certainty as to when an input change will be detected and processed.
THE DELIVERY PROCESS
The system was delivered under a design, build, test and commission contract arrangement,
where the contractor is responsible for delivery in accordance with the specification, and the
railway organisation is responsible for verifying compliance and validation of the system to
key signalling safety and operating principles.
The contractor organisation was also the developer of the COTS controller technology and
had a considerable history for deploying that technology on many railway networks, including
that of the railway organisation commissioning the contract works. However this was the first
time that a distributed interlocking architecture was to be deployed; neither the contractor
personnel undertaking this work, nor the railway personnel verifying and validating this work
had any prior experience in implementing a distributed interlocking architecture with this
technology.
The delivery model and the underlying processes had been well established. These had
evolved over time and were considered best railway practice at the time.
The personnel involved were appropriately qualified and experienced in the design of signal
interlocking application logic of this complexity and in the use of the technology, albeit not in
the design and implementation of the distributed interlocking architecture using this
technology.
176
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Hazard Analysis
Because the project was considered “routine” there was no specific hazard analysis performed
for the application design. The technology had been used for similar applications, albeit with
a different architecture, and the application scenario i.e. an actively controlled level crossing
in the vicinity of road traffic signals and station platforms, was not new. The hazards of the
application were well understood. The potential hazards due to the processing latency of the
controllers and their associated communications links were understood, but how to design for
them was not. The application manual for the controllers did warn of the latency, but provided
no guidance as to how this latency should be treated to eliminate the hazards or test for them.
Application Logic
The railway organisation specified the interlocking requirements for this application. The
contractor designed the controller architecture, the modules and the application data and
submitted the “design” for review by the railway.
The reviewed design was amended as appropriate by the contractor and the application data
produced for each of the controllers. The contractor tested the amended application design for
compliance with the specification using both simulation tools and the target hardware (the
personnel were required to be independent i.e. they were not involved in developing for the
design under test).
The application logic was then tested by the railway organisation to validate compliance with
the key signalling safety and operating principles using simulators and the target hardware.
Those tasked with the validation task had no involvement in the development of either the
interlocking specification or any of the design reviews.
THE FAILURES
There were three unsafe events. The first two were due to the same latent defect, although the
initiating event was different. To assist in understanding, the sequence of events for Event 1 is
provided in Table 1. The time base used is Controller B. The time-stamps for Controllers A
and C have been aligned with the Controller B time. The event sequence should be read with
reference to Figures 5, 6 and 7.
Figure 5: A state of the system prior to the Event 1 failure
177
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Event 1 – The First Occurrence
“C”
“B”
“A”
08:26:11
Event
Train A approaches 3 Signal at STOP
08:27:13
Crossing closes for train approaching 1 Signal
08:28:18
3 Signal changes to PROCEED
08:28:29
08:28:32
Train B approaches 4 Signal at STOP [crossing
already closed]
Train A passes 3 Signal
08:29:05
08:29:04
Crossing called open – train at 4 Signal too long
Train A (rear) passes 3 Signal overlap limit and
08:29:06
4 Signal changes to PROCEED
08:29:07
Crossing starts to open
08:29:07
Crossing called closed [4 Signal at PROCEED]
08:29:08
08:29:17
Crossing opens
08:29:41
Crossing commences to close
08:29:49
Crossing closed
08:30:22
Train B passes 4 Signal
Table 1: Event 1 Sequence of Events
The sequence of events show that 4 Signal was at PROCEED for some 40 seconds with a
train on its approach and the level crossing not closed.
The initiating event was Train A being detained at 3 Signal with Train B closely following.
The reason for the detention of Train A at 3 Signal was because of incomplete works in
relation to 3 Signal. Figure 6 shows the situation just as 3 Signal changes to PROCEED.
Figure 6: Train A receives signal to continue, Train B at platform
178
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
Figure 7: The state of the system when the Event 1 failure occurred
Figure 7 shows the situation as Train A clears the overlap beyond 3 Signal, thus enabling 4
Signal to be called to clear.
Controller B allowed 4 Signal to display a PROCEED aspect at 08:29:06, because according
to Controller B the crossing was closed and section of track from 4 Signal to 3 Signal and the
overlap was clear. However Controller A had commanded the level crossing controls to open
at 08:29:05, but Controller B did not receive and process this open command until 08:29:07.
The failure is depicted in Figure 7.
Once the crossing began to open, it could not again be closed until the crossing was open for
the required crossing open time.
The incident occurred because states of the crossing controls and 4 Signal in Controllers A
and B were different for 1 second. The incident would not have happened if the conditions for
4 Signal to change to PROCEED were satisfied coincidently as the conditions to open the
crossing were satisfied.
Event 2 – Categorised correctly, investigated and fixed
The initiating event was a failure of Controller C and the consequential loss of the
communications link between Controllers B and C. Railway signalling systems have
traditionally been required to fail safe. To meet this fail safe requirement, railway signal
interlocking systems are required to fail to a safe state in the event of a failure i.e. trains are
assumed to be everywhere, signals display STOP aspects and level crossings close.
The loss of communications occurred whilst 1 Signal was at PROCEED in preparation for a
future train. The failure resulted in the interlocking (Controller A) presuming that a train was
approaching 1 Signal and closed the crossing and 4 Signal was placed at STOP because the
track ahead was assumed to be occupied by a train.
179
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
A train approached 4 Signal at STOP at 14:42:47 automatically triggering the standing too
long at platform timer. The timer times out at 14:43:22 and primes the crossing to open. The
crossing does not open because of the presumed train approaching 1 Signal at PROCEED.
At 14:44:00, the communications is re-established and the “presumed train” approaching 1
Signal disappears and, as 4 Signal was at STOP and the standing for too long timer for 4
Signal has expired, Controller A commands the crossing to open.
However Controller B allowed 4 Signal to change to PROCEED because the track ahead was
now confirmed clear when the communications recovered.
At 14:44:02, the crossing was commanded to close because the interlocking (Controller A)
conditions require the crossing closed when 4 Signal is at PROCEED and there is a train
approaching i.e. the train standing at 4 Signal. However once the crossing began to open, it
could not again be closed until the crossing was open for the required crossing open time. 4
Signal was at PROCEED for 42 seconds before the crossing was closed.
The Fix
The solution to the problem was to repeat the interlocking conditions requiring 4 Signal to be
at STOP before opening the crossing in Controller A, in Controller B, thus ensuring that the
states of 4 Signal and the level crossing control are always the same.
Event 3 – After the Fix
Some 5 days after the fault was supposedly corrected, there was another occurrence of the
failure.
This failure had a similar sequence of events as for Event 1, in that a train was detained at 3
Signal and a following train detained at 4 Signal long enough for the standing for too longer
timer to expire. There was another train in the vicinity and it was approaching 1 Signal.
The detention of the train at 3 Signal, this time, was due to a failure of Controller C which
also caused a loss of communications between Controllers B and C.
On recovery of Controller C and the re-establishment of communications between Controllers
B and C, 3 Signal changed to PROCEED. The detained train moved on and when the rear of
the train was beyond the overlap, 4 Signal changed to PROCEED, and the crossing called
open. One second later, the crossing was commanded to close. This was essentially the same
sequence of events for Events 1 and 2.
So why did the fix not work?
The reason why the fix did not work was because it was implemented incorrectly. Instead of
requiring the crossing to be closed before 4 Signal changed to PROCEED when a train was
standing at the signal, the implemented logic required 4 Signal to be at PROCEED to
command the crossing to open. This effectively ensured that the crossing would always open
automatically when 4 Signal changed from STOP to PROCEED.
180
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
THE FIX PROCESS
The railway signalling industry gives unsafe signalling failures high priority. This failure was
no exception. Subsequent to the second failure, which occurred on a Saturday (the first
occurrence was not correctly categorised and hence not immediately acted upon), the railway
organisation investigated the failure, devised the solution and implemented the next day, a
Sunday.
Because it was a failure of the safety system, it was considered a matter of urgency to correct
the problem. People were specially called in.
The personnel involved were those who verified and validated the interlocking system
supplied under contract and so should have had good knowledge of the interlocking logic.
However, their collusion in the investigation, the identification of the solution and its
subsequent design, test and commissioning, compromised their independence.
The change was not tested using the simulation tools and test facilities as it was assumed that
the sequence of events could not be accurately simulated. This was a timing issue and the
events had to be timed to the second. One second either way meant that the failure would not
have occurred.
The change however was relatively simple.
There was some attempt to test the deployment of the change using the target system.
However this only confirmed that the fix had no adverse affect on the normal sequence of
events. It was not possible to induce the changes of state with sufficient accuracy to prove that
the problem was corrected.
THE COMPLEXITY FACTOR
The interlocking logic flaw which led to the unsafe failure events described above was a
direct result of the complexity created by the architecture selected for this particular
application.
Whilst the people involved appreciated the timing complexities of distributed systems, there
were no prescribed processes as to how to deal with transitioning internal states common to
different controllers.
It is important to note than had 4 Signal been a controlled signal instead of an automatic
signal, the flaw would not have as readily been revealed. The request to clear 4 Signal from
the Train Controller would have had to arrive within 1 second of the conditions allowing 4
Signal to change from STOP to PROCEED were satisfied.
The problem is, there appears to be no obvious practical way of identifying such precise
timing-related flaws. How can we be ever certain that there are no other similar flaws which
have yet to be revealed? The system has been in service now some nine years and there have
been no other interlocking logic flaws revealed.
179
Improving Systems and Software Engineering Conference (ISSEC), Canberr, Australia, August 2009
SAFETY
None of the unsafe events resulted in any harm. However, that does not mean that this was not
a serious safety flaw. The primary safety system failed and it was only the vigilance of the
train drivers involved that prevented any harm from occurring.
There is an increasing trend in the railway industry to automate train operations i.e. operate
trains without a driver. Had there been no driver on the three trains involved in the failure
events, then harm would have certainly occurred. The PROCEED aspect in 4 Signal would
have been sufficient for the train to automatically depart with the crossing open to road traffic.
If the controlled level crossing did not exist then the events would not have happened. The
events only occurred because of the need to guarantee a minimum road open time before
reclosing the crossing.
CONCLUSION
The versatility of programmable logic controllers tempt application designers to use them in
ways not originally intended. Whilst the particular controllers had the functionality to
communicate serially, the use of this functionality to construct such a distributed interlocking
system was an innovative use of the technology. Whilst the equipment manuals did not
preclude such use, there were warnings on the use of the serially links with respect to latency.
The series of failures described in this case study demonstrates the subtlety of design errors
that can be created in a distributed system which may lie dormant until revealed, sometimes
with serious consequences.
When such flaws are revealed, the urgency to correct the flaw is often a strong temptation to
bypass the usual rigorous procedures. This case study demonstrates what can happen when
such procedures are not adhered to, despite the involvement of appropriately competent
people.
180