Abstract

This report results from a contract tasking University of York. The project will undertake one activity: Produce a unified (generic) approach to developing safety cases for adaptive avionics and software and identifying a "way ahead" to develop and validate the approach, based on the outline produced in the preceding NASA project. As with the previous report, the authors' focus in addressing safety cases for "advanced" control systems is to concentrate on the class of adaptive systems. A system can be considered adaptive if its behavior cannot be predicted solely from knowledge of its initial software design and state. The behavior of an adaptive system is the product of its initial state and the adaptations (state changes) that have taken place according to the stimuli it has encountered. Adaptive systems can be introduced to improve safety (e.g., to continue to control an aircraft safely in the event of losing a control surface), or to improve other system characteristics (e.g., to improve the fuel consumption of an aero-engine). The motivation for introducing an adaptive capability has a significant impact on the nature of the required safety argument. Where improved safety is the goal of the adaptation, the safety argument must justify that the adaptive system is capable of reducing some of the risks associated with hazards already present with the equipment under control. At the same, it is necessary to ensure that the introduction of the adaptive capability does not introduce new, or increase existing, risks. Where adaptation is being introduced for reasons other than safety, safety can be viewed as a constraint. The principal concern is that the adaptive capability doesn't introduce new, or increase existing, risks.