Computer Safety, Reliability and Security : 19th International Conference, SAFECOMP 2000, Rotterdam, the Netherlands, October 24-27, 2000 Proceedings Paperback

WelcometoRotterdamandtotheInternationalConferenceSafecomp2000,on thereliability,safetyandsecurityofcriticalcomputerapplications.

Thisalready marksthe19thyearoftheconference,showingtheundiminishedinterestthe topicelicitsfrombothacademiaandindustry.

Safecomphasproventobean excellentplacetomeetandhavediscussions,andwehopethistrendcontinues thisyear.

Peopleandorganisationsdependmoreandmoreonthefunctioningofc- puters.

Whetherinhouseholdequipment,telecommunicationsystems,o?ce- plications,banking,peoplemovers,processcontrolormedicalsystems,theoft- embeddedcomputersubsystemsaremeanttoletthehostingsystemrealiseits intendedfunctions.

Theassuranceofproperfunctioningofcomputersin- pendableapplicationsisfarfromobvious.

Themillenniumstartedwiththebug andthefullendorsementoftheframeworkstandardIEC61508.

Thevariety ofdependablecomputerapplicationsincreasesdaily,andsodoesthevarietyof risksrelatedtotheseapplications.

Theassessmentoftheserisksthereforeneeds re?ectionandpossiblynewapproaches.

Thisyear'sSafecompprovidesabroad mixofpapersontheseissues,onprogressmadeindi?erentapplicationdomains andonemergingchallenges.

Oneofthespecialtopicsthisyearistransportandinfrastructure.

Onewould behardpressedto?ndabetterplacetodiscussthisthaninRotterdam. The reliability,safetyandsecurityofcomputersisofprominentimportancetoRott- dam,asafewexamplesillustrate.

Itsharbourdependsonthereliablefunctioning ofcontainerhandlingsystems,onthesafefunctioningofitsradarsystems,and, asofrecently,onthesafeandreliablefunctioningoftheenormousstormsurge barrieratHoekvanHolland.

AnewtopicforSafecompis medicalsystems. Theseprogressivelydepend on-embedded-programmableelectronicsystems.

Experienceshowsthatthe medicalworldlacksthemethodsforapplyingthesesystemssafelyandreliably.

Wewelcomeagroupofpeoplereadytodiscussthistopic,andhope,bydoing so,tocontributetothis?eldofapplicationsofsafe,reliableandsecuresystems.

SoftwareprocessimprovementalsorepresentsaspecialtopicofSafecomp 2000.

Itprovedtobethemostfruitfulofthethreeintermsofsubmittedpapers.

Thereweremanycontributionsfromahostofcountries,whichhadtobespread amongstdi?erentsessiontopics.

WewishtothanktheInternationalProgramCommittee'smembers,41in total,fortheire?ortsinreviewingthepapersandfortheirvaluableadvicein organisingthisconference.

Wearealsogratefulfortheircontributiontod- tributingcallsforpapersandannouncements.

Withouttheirhelptheburdenof organisingthisconferencewouldhavebeenmuchgreater. VI Preface Finally,letusonceagainwelcomeyoutoRotterdam,atrulyinternational cityandhometopeopleofmanynationalities.

Wehopeyoutakethetimenot onlytoenjoythisconference,butalsoto?ndyourwayaroundthecity,sinceit surelyhasmuchtoo?er.

FloorKoornneef MeinevanderMeulen Table of Contents InvitedPaper TheTenMostPowerfulPrinciplesforQualityin(Softwareand) SoftwareOrganizationsforDependableSystems...1 TomGilb Veri?cationandValidation EmpiricalAssessmentofSoftwareOn-LineDiagnostics UsingFaultInjection...14 JohnNapier,JohnMayandGordonHughes Speeding-UpFaultInjectionCampaignsinVHDLModels...27 B.

Parrotta,M. Rebaudengo,M. SonzaReordaandM. Violante Speci?cationandVeri?cationofaSafetyShellwithStatechartsand ExtendedTimedGraphs...37 JanvanKatwijk,HansToetenel,Abd-El-KaderSahraoui,EricAnderson andJanuszZalewski ValidationofControlSystemSpeci?cationswithAbstractPlantModels...53 WenhuiZhang AConstantPerturbationMethodforEvaluation ofStructuralDiversityinMultiversionSoftware...63 LupingChen,JohnMayandGordonHughes ExpertError:TheCaseofTrouble-ShootinginElectronics...74 DenisBesnard TheSafetyManagementofData-DrivenSafety-RelatedSystems ...86 A.

G. Faulkner,P. A. Bennett,R. H. Pierce,I. H. A. Johnston andN. Storey SoftwareSupportforIncidentReportingSystems inSafety-CriticalApplications...96 ChrisJohnson SoftwareProcessImprovement ADependability-ExplicitModelfortheDevelopment ofComputingSystems...107 MohamedKaan iche,Jean-ClaudeLaprieandJean-PaulBlanquart VIII Table ofContents DerivingQuanti?edSafetyRequirementsinComplexSystems ...117 PeterA.

Lindsay,JohnA. McDermidandDavidJ. Tombs ImprovingSoftwareDevelopmentbyUsing SafeObjectOrientedDevelopment:OTCD...131 XavierM'ehautandPierreMor'ere ASafetyLicensablePESforSIL4Applications...141 WolfgangA.

Halang,PeterVogrinandMatja?zColnari?c SafetyandSecurityIssuesinElectricPowerIndustry ...151 ?

Zdzis lawZurakowski DependabilityofComputerControlSystemsinPowerPlants ...165 Cl'audiaAlmeida,AlbertoArazo,YvesCrouzetandKaramaKanoun AMethodofAnalysisofFaultTreeswithTimeDependencies ...176 JanMagottandPawe lSkrobanek Formal Methods AFormalMethodsCaseStudy:UsingLight-WeightVDM fortheDevelopmentofaSecuritySystemModule...187 GeorgDroschl,WalterKuhn,GeraldSonneckandMichaelThuswald FormalMethods:TheProblemIsEducation...198 ThierryScheurer FormalMethodsDi?usion:PastLessonsandFutureProspects...211 R.

Bloom?eld,D. Craigen,F. Koob,M. UllmannandS. Wittmann InvitedPaper SafeTech:AControlOrientedViewpoint...227 MaartenSteinbuch SafetyGuidelines,StandardsandCerti?cation DerivationofSafetyTargetsfortheRandomFailure ofProgrammableVehicleBasedSystems...240 RichardEvansandJonathanMo?ett IEC61508-ASuitableBasisfortheCerti?cation ofSafety-CriticalTransport-InfrastructureSystems??...250 DerekFowlerandPhilBennett Table of Contents IX HardwareAspects AnApproachtoSoftwareAssistedRecovery fromHardwareTransientFaultsforRealTimeSystems...264 D.

BasuandR. Paramasivam ProgrammableElectronicSystemDesign&Veri?cationUtilizingDFM...275 MichelHoutermans,GeorgeApostolakis,AarnoutBrombacher andDimitriosKarydas SIMATICS7-400F/FH:Safety-RelatedProgrammableLogicController...286 AndreasSchenk SafetyAssessmentI AssessmentoftheReliabilityofFault-TolerantSoftware: ABayesianApproach...294 BevLittlewood,PeterPopovandLorenzoStrigini EstimatingDependabilityofProgrammableSystemsUsingBBNs...309 BjornAxelGran,GustavDahll,SiegfriedEisinger,EivindJ.

Lund, JanGerhardNorstrom,PeterStrockaandBrittJ. Ystanes DesignforSafety ImprovementsinProcessControlDependability throughInternetSecurityTechnology...321 FerdinandJ. Dafelmair ASurveyonSafety-CriticalMulticastNetworking ...333 JamesS.

PascoeandR. J. Loader InvitedPaper CausalReasoningaboutAircraftAccidents...344 PeterB.

Ladkin Transport&Infrastructure ControllingRequirementsEvolution:AnAvionicsCaseStudy...361 StuartAndersonandMassimoFelici HAZOPAnalysisofFormalModels ofSafety-CriticalInteractiveSystems...