Safety-Driven Design for Software-Intensive Aerospace and Automotive Systems

Too often, systems are designed and then an attempt is made to add safety features or to prove that the design is safe after the fact. Safety has to be designed into a system from the start-it cannot be effectively added on to a mature design. In addition, the increasing use of software is changing the nature of accident causation in software-intensive systems and our safety engineering techniques must change accordingly. This article will describe a new hazard analysis technique, called STPA, which is effective on software-intensive systems. An advantage of this technique is that it can be used to drive the earliest design decisions and then proceed in parallel with ensuing design decisions and design refinement. Not only is this approach more effective, but the cost is no more than a more conventional design process and potentially much cheaper