Skip to main content
SpringerLink
Log in

Hazard Relation Diagrams: a diagrammatic representation to increase validation objectivity of requirements-based hazard mitigations

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

When developing safety-critical embedded systems, it is necessary to ensure that the system under development poses no harm to human users or external systems during operation. To achieve this, potential hazards are identified and potential mitigations for those hazards are documented in requirements. During requirements validation, the stakeholders assess if the documented hazard-mitigating requirements can avoid the identified hazards. Requirements validation is highly subjective. Among others, validation depends on the stakeholders’ understanding of the involved processes, their familiarity with the system under development, and the information available. In consequence, there is the risk that stakeholders judge the adequacy of hazard-mitigating requirements based on their individual opinions about the hazards, rather than on the documented information about the system’s hazards. To improve the validation of hazard-mitigating requirements, we recently proposed a diagrammatic representation called Hazard Relation Diagrams (Tenbergen B, Weyer T, Pohl K, Supporting the validation of adequacy in requirements-based hazard mitigations. In: Requirements engineering: foundation for software quality. LNCS, vol 9013. Springer, pp 17–32, 2015). In this paper, we extend the ontology of Hazard Relation Diagrams, present their notations, and define well-formedness rules. We elaborate on the application of Hazard Relation Diagrams to visualize complex relationships between hazards and mitigations and present an automated approach to generate Hazard Relation Diagrams. Finally, we report on our empirical evaluations about the impact of Hazard Relation Diagrams on review objectivity, effectiveness, efficiency, and reviewer’s subjective confidence.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. In the following, we use the term “safety engineering” for the academic discipline, while we use the term “safety assessment” for the activities carried out during development.

  2. Please note the difference between adequacy, i.e., an artifact’s suitability for the development process, and an artifact’s formal correctness, as outlined in [12]. Even formally correct requirements can be functionally, strategically, or legally inadequate to mitigate a hazard.

  3. The artifact formalizations are available as an appendix to this article at https://goo.gl/FNfsB9.

  4. The following algorithmic description references pseudo-code implementations, which we provide as an appendix to this article at https://goo.gl/D6eGhR.

  5. For researchers interested in replicating our experiments, the experimental material can be downloaded from https://goo.gl/XwJJQu.

  6. The post hoc questionnaire is available at https://goo.gl/XwJJQu.

References

  1. Leveson NG (2011) Engineering a safer world: systems thinking applied to safety. Engineering systems. MIT Presss, Cambridge

    Google Scholar 

  2. Leveson NG (1995) Safeware: system safety and computers. Addison-Wesley, Reading, Mass

    Google Scholar 

  3. SAE International (1996) ARP4761, Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. http://standards.sae.org/arp4761/. Accessed 7 Jan 2016

  4. International Organization for Standardization (2011) ISO26262, Road vehicles—functional. safety. http://www.iso.org/iso/catalogue_detail?csnumber=43464. Accessed 7 Jan 2016

  5. Ericson CA (2005) Hazard analysis techniques for system safety. Wiley, Hoboken

    Book  Google Scholar 

  6. Bishop P, Bloomfield R, Guerra S (2004) The future of goal-based assurance cases. In: proceedings of the workshop on assurance cases, pp 390–395

  7. Wilson SP, Kelly TP, McDermid JA (1997) Safety case development: current practice, future prospects. In: Shaw R (ed) Safety and reliability of software based systems. Springer, London, pp 135–156

    Chapter  Google Scholar 

  8. IEEE Standards Board (1990) IEEE Std. 610.12: IEEE Standard Glossary of Software Engineering Terminology, 1990

  9. Leveson N (2011) The use of safety cases in certification and regulation. J Syst Saf 47(6). http://goo.gl/j9NW5Y. Accessed 13 July 2016

  10. Firesmith D (2004) Engineering safety requirements, safety constraints, and safety-critical requirements. J Object Technol 3(3):27–42. doi:10.5381/jot.2004.3.3.c3

    Article  Google Scholar 

  11. Hatcliff J, Wassyng A, Kelly T et al. (2014) Certifiably safe software-dependent systems: challenges and directions. In: proceedings of the future software engineering, pp 182–200

  12. Glinz M (2000) Improving the Quality of Requirements with Scenarios. In: proceedings of the 2nd world congress on software quality, pp 55–60

  13. Flynn DJ, Warhurst R (1994) An empirical study of the validation process within requirements determination. Inf Syst J 4(3):185–212. doi:10.1111/j.1365-2575.1994.tb00051.x

    Article  Google Scholar 

  14. Lisagor O, Sun L, Kelly T (2010) The illusion of method: challenges of model-based safety assessment. In: 28th international system safety conference (ISSC)

  15. Sun L (2012) Establishing confidence in safety assessment evidence. Dissertation, University of York

  16. Gacitua R, Ma L, Nuseibeh B, Piwek P, de Roeck AN, Rouncefield M, Sawyer P, Willia A, Yang H (2009) Making tacit requirements explicit. In: 2nd international workshop on managing requirements knowledge (MARK), pp 40–44

  17. Glinz M, Fricker SA (2015) On shared understanding in software engineering: an essay. Comput Sci Res Dev 30(3–4):363–376. doi:10.1007/s00450-014-0256-x

    Article  Google Scholar 

  18. Mao J, Chen L (2012) Runtime monitoring for cyber-physical Systems: a case study of cooperative adaptive cruise control. In: proceedings of the 2nd international conference on intellectual system design and engineering application, pp 509–515

  19. Caramihai SI, Dumitrache I (2013) Urban traffic monitoring and control as a cyber-physical system approach. In: Dumitrache L (ed) Advances in intelligent control systems and computer science. Springer, Berlin, pp 355–366

    Chapter  Google Scholar 

  20. Lempia DL, Miller S (2009) Requirements engineering management findings report. Technical report DOT/FAA/AR-08/34, Federal Aviation Administration

  21. Tenbergen B, Weyer T, Pohl K (2015) Supporting the validation of adequacy in requirements-based hazard mitigations. In: Requirements engineering: foundation for software quality. LNCS, vol 9013. Springer, pp 17–32

  22. Heimdahl MP (2007) Safety and software intensive systems: challenges old and new. In: future of software engineering, pp 137–152

  23. Stoneburner G (2006) Toward a unified security-safety model. Computer 39(8):96–97. doi:10.1109/MC.2006.283

    Article  Google Scholar 

  24. Kelly T (2007) Reviewing assurance arguments-a step-by-step approach. In: workshop on Assurance Cases for Security-The Metrics Challenge, Dependable Systems and Networks (DSN)

  25. Johnson CW, Holloway CM (2006) Questioning the role of requirements engineering in the causes of safety-critical software failures. In: IET international conference on system safety, pp 352–361

  26. Lempia DL, Miller S (2009) Requirements engineering management handbook. Technical report, DOT/FAA/AR-08/32, Federal Aviation Administration

  27. Chung L, Nixon BA, Yu E et al (2000) Non-functional requirements in software engineering. International series in software engineering, vol 5. Springer, Berlin

    Book  MATH  Google Scholar 

  28. Moody DL (2009) The “physics” of notation: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans Softw Eng 35(6):756–779

    Article  Google Scholar 

  29. Störrle H (2004) Semantics of control-flow in UML 2.0 activities. In: IEEE symposium on visual languages and human centric computing, pp 235–242

  30. Object Management Group (2015) OMG Unified Modeling Language, Version 2.5. OMG Document Number formal/2015-03-01. http://goo.gl/7cQyPv. Accessed 13 July 2016

  31. van Lamsweerde A (2009) Requirements engineering: from system goals to UML models to software specifications. Wiley, Chichester

    Google Scholar 

  32. Yu E (1997) Towards modelling and reasoning support for early-phase requirements engineering. In: international symposium RE, pp 226–235

  33. Giorgini P, Mylopoulos J, Sebastiani R (2005) Goal-oriented requirements analysis and reasoning in the Tropos methodology. Eng Appl Artif Intell 18(2):159–171. doi:10.1016/j.engappai.2004.11.017

    Article  Google Scholar 

  34. Kelly T, Weaver R (2004) The goal structuring notation‐a safety argument notation. In: proceedings of the workshop on assurance cases of dependable systems and networks

  35. Heim I, Kratzer A (1998) Semantics in generative grammar. Wiley, Chichester

    Google Scholar 

  36. Finkelstein A, Kramer J, Nuseibeh B, Finkelstein L, Goedicke M (1992) Viewpoints: a framework for integrating multiple perspectives in system development. Int J Softw Eng Knowl Eng 2(1):31–58

    Article  Google Scholar 

  37. Conway M (1968) How do committees invent? Datamation 14(4):28–31

    Google Scholar 

  38. Reif K (2010) Fahrstabilisierungssysteme und Fahrerassistenzsysteme. Vieweg + Teubner, Wiesbaden

    Book  Google Scholar 

  39. Object Management Group (2011) QVT: Meta Object Facility (MOF) 2.0 Query/View/Transformation, v1.1

  40. QVT Operational Eclipse Plugin, v3.5.0. https://goo.gl/SglK1F. Accessed 7 Jan 2016

  41. Eclipse Modeling Tools, Luna Package Distribution. https://goo.gl/qo9Sf5. Accessed 7 Jan 2016

  42. Jedlitschka A, Ciolkowski M, Pfahl D (2008) Reporting experiments in software engineering. In: Shull F, Singer J, Sjøberg DIK (eds) Guide to advanced empirical software engineering. Springer, London, pp 201–228

    Chapter  Google Scholar 

  43. Wohlin C, Runeson P, Höst M et al (2012) Experimentation in software engineering. Springer, Berlin

    Book  MATH  Google Scholar 

  44. Tabachnick BG, Fidell LS (2010) Using multivariate statistics, 5th edn. Pearson/Allyn and Bacon, Boston

    Google Scholar 

  45. SoSci Survey. https://www.soscisurvey.de. Accessed 7 January 2016

  46. Venkatesh V, Bala H (2008) Technology acceptance model 3 and a research agenda on interventions. Decis Sci 39(2):273–315. doi:10.1111/j.1540-5915.2008.00192.x

    Article  Google Scholar 

  47. Goodhue DL (1998) Development and measurement validity of a task-technology fit instrument for user evaluations of information System. Decis Sci 29(1):105–138. doi:10.1111/j.1540-5915.1998.tb01346.x

    Article  Google Scholar 

  48. van Solingen R, Berghout E (1999) The goal/question/metric method: a practical guide for quality improvement of software development. The McGraw-Hill Companies, London

    Google Scholar 

  49. Osgood CE, Suci G, Tannenbaum P (1957) The measurement of meaning. University of Illinois Press, Urbana

    Google Scholar 

  50. Verhagen T., Hooff B. van den Meents S. (2015) Toward a better use of the semantic differential in IS research: an integrative framework of suggested action. J Assoc Inf Syst 16(2):108–143

  51. Corbin JM, Strauss AL (2008) Basics of qualitative research: Techniques and procedures for developing grounded theory, 3rd edn. Sage Publ, Los Angeles

    Book  Google Scholar 

  52. Cronbach LJ (1951) Coefficient alpha and the internal structure of tests. Psychometrika 16(3):297–334. doi:10.1007/BF02310555

    Article  MATH  Google Scholar 

  53. Student (1908) The probable error of a mean. Biometrika 6(1):1–25. doi:10.2307/2331554

    Article  Google Scholar 

  54. Cohen J (1992) A power primer. Psychol Bull 112(1):155–159. doi:10.1037/0033-2909.112.1.155

    Article  Google Scholar 

  55. David HA, Gunnink JL (1997) The paired t test under artificial pairing. Am Stat 51(1):9–12. doi:10.2307/2684684.JSTOR2684684

    MathSciNet  Google Scholar 

  56. Carver J, Jaccheri L, Morasca S, Shull F (2003) Issues in using students in empirical studies in software engineering education. In: proceedings 9th international software metrics symposium, pp 239–249

  57. Hart C, Mulhall P, Berry A, Loughran J, Gunstone R (2000) What is the purpose of this experiment? Or can students learn something from doing experiments? J Res Sci Teach 37(7):655–675. doi:10.1002/1098-2736(200009)37:7<655:AID-TEA3>3.0.CO;2-E

    Article  Google Scholar 

  58. Carver JC, Nagappan N, Page A (2008) The impact of educational background on the effectiveness of requirements inspections: an empirical study. IEEE Trans Softw Eng 34(6):800–812. doi:10.1109/TSE.2008.49

    Article  Google Scholar 

  59. Navarro E, Sanchez P, Letelier P, Pastor JA, Ramos I (2006) A goal-oriented approach for safety requirements specification. In: 13th annual IEEE international symposium and workshop on engineering computer based system, pp 319-326

  60. Allenby K, Kelly T (2001) Deriving safety requirements using scenarios. In: 5th IEEE international symposium RE, pp 228–235

  61. Chen D, Johansson R, Lönn H, Papadopoulos Y, Sandberg, A, Törner F, Törngren M (2008) Modelling support for design of safety-critical automotive embedded systems. In: proceedings of the 27th international conference computer safety, reliability and security, pp 72–85

  62. Guillerm R, Demmou H, Sadou N (2011) Combining FMECA and fault trees for declining safety requirements of complex systems. In: Soares CG (ed) Advances in safety, reliability and risk management. CRC Press, pp 1287–1293

  63. Hansen KM, Ravn AP, Stavridou V (1998) From safety analysis to software requirements. IIEEE Trans Softw Eng 24(7):573–584. doi:10.1109/32.708570

    Article  Google Scholar 

  64. Tsuchiya T, Terada H, Kusumoto S, Kikuno T Eun Mi Kim (1997) Derivation of safety requirements for safety analysis of object-oriented design documents. In: proceedings of the 21st annual international computer software and applications conference, pp 252–255

  65. Troubitsyna E (2008) Elicitation and specification of safety requirements. In: proceedings of the 3rd international conference on systems, pp 202–207

  66. Xu X, Bao X, Lu M, Chang W (2011) A study and application on airborne software safety requirements elicitation. In: proceedings of the 9th international conference on reliability, maintainability and safety, pp 710–716

  67. van Lamsweerde A (2009) Reasoning about alternative requirements options. In: Borgida AT, Chaudhri VK, Giorgini P, Yu ES (eds) Conceptual modeling: Foundations and Applications. Springer, Heidelberg, pp 380–397

  68. Sindre G (2007) A look at misuse cases for safety concerns. In: proceedings of the IFIP WG 8.1 conference, pp 252–266

  69. Raspotnig C, Opdahl A (2013) Comparing risk identification techniques for safety and security requirements. J Syst Softw 86(4):1124–1151. doi:10.1016/j.jss.2012.12.002

    Article  Google Scholar 

  70. Leveson NG (2004) A systems-theoretic approach to safety in software-intensive systems. IEEE Trans Depend Secur Comput 1(1):66–86. doi:10.1109/TDSC.2004.1

    Article  Google Scholar 

  71. Shull F, Basili V, Boehm B, Winsor Brown A, Costa P, Lindvall M, Port D, Rus I, Tesoriero R, Zelkowitz M (2002) What we have learned about fighting defects. In: proceedings of the 8th international symposium on software metrics, pp 249–258

  72. Boehm B, Basili VR (2001) Software defect reduction top 10 list. Computer 34(1):135–137. doi:10.1109/2.962984

    Article  Google Scholar 

  73. Basili VR, Green S, Laitenberger O, Lanubile F, Shull F, Sorumgard S, Zelkowitz M (1996) The empirical investigation of perspective-based reading. Empir Softw Eng 1(2):133–164. doi:10.1007/BF00368702

    Article  Google Scholar 

  74. Shull F, Rus I, Basili V (2000) How perspective-based reading can improve requirements inspections. Computer 33(7):73–79. doi:10.1109/2.869376

    Article  Google Scholar 

  75. Li Q, Boehm B, Yang Y, Wang Q (2011) A value-based review process for prioritizing artifacts. In: proceedings of the international conference on software system process, pp 13–23

  76. Aurum A, Petersson H, Wohlin C (2002) State-of-the-art: software inspections after 25 years. Softw Test Verif Reliab 12(3):133–154. doi:10.1002/stvr.243

    Article  Google Scholar 

  77. Porter AA, Votta LG, Basili VR (1995) Comparing detection methods for software requirements inspections: a replicated experiment. IEEE Trans Softw Eng 21(6):563–575. doi:10.1109/32.391380

    Article  Google Scholar 

  78. Lee K, Boehm B (2005) Empirical results from an experiment on value-based review (VBR) processes. In: proceedings of the international symposium empirical software engineering, pp 3–12

  79. Cruickshank KJ, Michael JB, Man-Tak Shing (2009) A validation metrics framework for safety-critical software-intensive systems. In: IEEE international conference system of systems engineering, pp 1–8

  80. Michael JB, Shing MT, Cruickshank KJ, Redmond PJ (2010) Hazard analysis and validation metrics framework for system of systems software safety. IEEE Syst J 4(2):186–197. doi:10.1109/JSYST.2010.2050159

    Article  Google Scholar 

  81. Driskell SB, Murphy J, Michael JB, Man-Tak Shing (2010) Independent validation of software safety requirements for systems of systems. In: proceedings of the 5th international conference on system of systems engineering, pp 1–6

  82. Belli F, Hollmann A, Nissanke N (2007) Modeling, analysis and testing of safety issues—an event-based approach and case study. In: proceedings of the 26th international conference on computer safety, reliability and security, pp 276–282

  83. Bitsch F (2001) Safety patterns—the key to formal specification of safety requirements. In: proceedings of the 20th international conference on computer safety, reliability and security, pp 176–189

  84. Bharadwaj R, Heitmeyer CL (1999) Model checking complete requirements specifications using abstraction. Autom Softw Eng 6(1):37–68. doi:10.1023/A:1008697817793

    Article  Google Scholar 

  85. Heitmeyer C, Kirby J, Labaw B et al (1998) Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans Softw Eng 24(11):927–948. doi:10.1109/32.730543

    Article  Google Scholar 

  86. Zafar S, Dromey RG (2005) Integrating safety and security requirements into design of an embedded system. In: proceedings of the 12th Asia-Pacific software engineering conference, pp 629–636

  87. Robertson S, Robertson J (2013) Mastering the requirements process: getting requirements right, 3rd edn. Addison-Wesley, Upper Saddle River

    Google Scholar 

Download references

Acknowledgements

This research was partly funded by the German Federal Ministry of Education and Research (BMBF) under Grant number 01IS12005C (project SPES XT). We thank Arnaud Boyer (Airbus Defence and Space) for his consultation regarding FHA. We thank Dr. Frank Houdek (Daimler AG) as well as Peter Heidl and Jens Höfflinger (Robert Bosch GmbH) for their consultation on the adaptive cruise control system. We thank Dr. Kai Petersen of Blekinge Institute of Technology as well as Marian Daun and André Heuer (University of Duisburg-Essen) for their feedback on the study design. We also thank all our participants in the experiments.

Author information

Authors and Affiliations

  1. Department of Computer Science, State University of New York at Oswego, 7060 State Route 104, Oswego, NY, 13126, USA

    Bastian Tenbergen

  2. paluno – The Ruhr Institute for Software Technology, University of Duisburg-Essen, Gerlingstr. 16, 45127, Essen, Germany

    Bastian Tenbergen, Thorsten Weyer & Klaus Pohl

Authors
  1. Bastian Tenbergen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thorsten Weyer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Klaus Pohl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bastian Tenbergen.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tenbergen, B., Weyer, T. & Pohl, K. Hazard Relation Diagrams: a diagrammatic representation to increase validation objectivity of requirements-based hazard mitigations. Requirements Eng 23, 291–329 (2018). https://doi.org/10.1007/s00766-017-0267-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-017-0267-9

Keywords

Search

Navigation