Safety-Directed System Monitoring Using Safety Cases

Currently, the safety studies of the system (which are also collectively known as the safety case) cease or reduce in their utility after system certification, and with that, a vast amount of knowledge about the failure (or safe) behaviour of the system is usually rendered useless. In this thesis, we argue that this knowledge could be usefully exploited in the context of an appropriate on-line safety monitoring scheme. As a practical application of our approach, we propose a safety monitor that operates on safety cases to support the on-line detection and control of hazardous failures in safety critical systems. Firstly, we identify a number of problems encountered in the development of safety cases using classical safety analysis techniques, and propose a new safety analysis method which can guarantee the consistency and improve, to some extent, the completeness and correctness of the safety case. The new method enables the assessment of hierarchically described complex systems that may exhibit either static or dynamic behaviour or structure. The assessment process in the proposed method revolves around a hierarchical structural and behavioural model of the system under examination. The result of the assessment is a semi-mechanically synthesised, well-formed, layered, safety case, which is composed of a collection of inter-related design models and safety analyses, and which enables automated checks that confirm the consistent integration of those models and analyses. We show that such a safety case can be mechanically transformed into an executable specification, upon which an automated monitor could operate in real-time. In the second part of the thesis, we develop the engine of the safety monitor. This is a set of generic mechanisms by which the monitor operates on such specifications in order to deliver a wide range of monitoring functions. We show that these functions span from the primary detection of the symptoms of disturbances though on-line fault diagnosis to the provision of corrective measures that minimise or remove the effects of failures. Finally, in the light of our study, we deal with some of the issues that arise from previous research in model-based diagnosis, and still concern other model-based approaches. More specifically, we discuss the extent to which the safety case can help to represent, and solve, the range of monitoring problems that are encountered in complex systems, and whether the proposed approach is likely to succeed in scaling up to large systems or systems with complex behaviour.