Pandora: An Approach to Analyzing Safety-Related Digital System Failures

Accidents have occurred in which failures of digital systems have contributed to property damage, injury, and even loss of life. Most investigative agencies do not know how to investigate these failures comprehensively because the complexity and coupling of a digital system’s functions can obfuscate its design, making it difficult for an investigator to understand the system, and because the uniqueness of each digital system prevents investigators from developing generic checklists for diagnosing failures. To address these problems, this thesis proposes the development of Pandora, a systematic approach to the analysis of safety-related digital system failures that is based upon the system safety case. As the complete argument that a system is safe to operate, the safety case contains the information needed to understand the safety-related aspects of a system and to diagnose and address the failure. Pandora audits a system’s safety case to identify the fallacious reasoning or faulty evidence that allowed a failure to occur, and in doing so it drives the elicitation of background information and counter-evidence needed to diagnose the failure. The products of this audit are a set of lessons comprising the flaws identified in the original safety argument, a revised safety case that is free of those flaws, and a set of recommendations for repairing the system and its associated development and operational practices. Pandora is a rigorous approach because it systematically revisits each of the safety claims that, if unsatisfied, could have contributed to a failure, and it is efficient because it considers only those system details, evidence, and safety claims that pertain to the investigation. This proposal discusses Pandora and its supporting work, further development, and planned evaluation of the approach through case studies.