|
1 | 1 | # OSEP proposed approach |
2 | 2 |
|
3 | | -a) Identify and document system scope, losses and hazards |
| 3 | +a) Document scope of analysis using STPA |
4 | 4 |
|
5 | | -* *Assumed* system context, boundaries of analysis, role of OS, etc |
6 | | -* OS-level losses/hazards that *may* violate a system's safety goals |
7 | | -* Specific to the topic: start simple and elaborate later! |
| 5 | +*In collaboration with other WGs e.g. Automotive?* |
8 | 6 |
|
9 | | -b) Identify and document constraints and mitigations |
10 | | -* Constraints: Criteria that must be satisfied to *prevent* hazard |
11 | | -* Mitigations: To reduce *impact* of hazards that are not prevented |
| 7 | +* Assumed system context |
| 8 | + - Hardware features, role of OS, boundaries of analysis, etc |
| 9 | + - Doesn't have to be concrete / complex |
| 10 | + - Specific to topic: start simple and elaborate later! |
| 11 | +* Losses |
| 12 | + - OS-related outcomes that *may* violate a system's safety goals |
| 13 | + - i.e. lead to harm in a safety-related system |
| 14 | +* Hazards |
| 15 | + - OS-level system conditions that *may* lead to these losses |
| 16 | +* System-level constraints |
| 17 | + - Criteria that must be satisfied to *prevent* or *mitigate* hazards |
| 18 | + - May be a simple inversion of the hazard |
12 | 19 |
|
13 | | -c) Identify and document kernel features or external mechanisms |
14 | | -* To implement OS- or system-level constraints and mitigations |
15 | | -* To be identified and/or investigated by other WGs? |
| 20 | +b) Identify and document system measures and mitigations for Linux |
16 | 21 |
|
17 | | -d) Investigate and document processes and tools to: |
18 | | -* Implement constraints or mitigations via engineering processes |
19 | | -* Verify constraints and mitigations (at all levels) |
20 | | -* Validate constraints, mitigations & verification measures in-context |
21 | | -* Identify or provide other evidence to support claims |
| 22 | +*Out of scope for OSEP - LFSCS group?* |
| 23 | + |
| 24 | +* Provided by kernel features, compiler, hardware, etc |
| 25 | +* Find supporting evidence (design, tests, processes) for these |
| 26 | +* Identify responsibilities of components (kernel, compiler, etc) |
| 27 | + |
| 28 | +c) Perform hazard and risk analysis using STPA |
| 29 | + |
| 30 | + *In collaboration with LFSCS and Safety Architecture WGs?* |
| 31 | + |
| 32 | +* Based on inputs from (a) and (b) |
| 33 | +* Document control structure(s) for topic |
| 34 | + - Identify controllers and responsibilities |
| 35 | + - Functional abstraction of system elements |
| 36 | + - e.g. Kernel or subsystems, complier, other tools, etc |
| 37 | + - Define interactions as control actions and feedback |
| 38 | + - Identify Unsafe Control Actions and Loss Scenarios |
| 39 | + - Define Controller Constraints |
| 40 | + |
| 41 | +d) Identify and document process measures and mitigations |
| 42 | + |
| 43 | +* Identify engineering practices and tools to: |
| 44 | + - Implement constraints from (a) and (c) |
| 45 | + - Verify constraints from (a) and (c) |
| 46 | + - Evaluate and/or increase confidence in (b) |
| 47 | + - Identify or provide other evidence to support claims |
| 48 | + - e.g. Quality criteria |
| 49 | +* Find supporting evidence from FOSS communities |
| 50 | + - Formal, verifiable process or inconsistent practice? |
22 | 51 |
|
23 | 52 | e) Identify and document claims and use cases |
| 53 | + |
24 | 54 | * To illustrate how a+b+c+d might support an in-context safety argument |
25 | | -* Use cases with kernel config(s) and hardware / system dependencies? |
| 55 | +* Evidence needed to support claims |
| 56 | + - How can other organisations use (d) to provide confidence? |
| 57 | + - What criteria does evidence need to satisfy? |
| 58 | +* Document use cases |
| 59 | + - In collaboration with Domain WGs? |
| 60 | + - With kernel config(s) and hardware / system dependencies? |
0 commit comments