A New Approach to Software Safety, Risk, and Vulnerability Analysis
Software has found its way into almost every part of our lives. Increased automation in the cars we drive can lead to failures which could result in physical injury, unacceptable risk, or cyber security vulnerabilities. In order to prevent accidents, identification of hazards, risks, and security vulnerabilities is required during development. The problem is the traditional hazard analysis techniques—failure effects and modes analysis, fault tree analysis, and root cause analysis—were developed for simplistic hardware controllers and are based on single point failures. Software fails differently than hardware. Most accidents, system failures, and many cyber attacks involving software controlled systems are not caused by software failure (the software stopped working) but instead by unforeseen interactions between the software and other system components. Vicki and Greg Pope explain how to use a robust hazard analysis technique called systemic theoretic process analysis. In actual usage on complex, software controlled systems, this technique has been able to identify more hazards, risks, and security vulnerabilities than the previous methods.
Gregory Pope has more than forty years’ experience developing software in the commercial and government sectors. Greg has held positions from programmer to CEO and now works for the Lawrence Livermore National Laboratory as a software quality engineering group leader. Previously, Greg founded and ran a software testing company and patented automated software testing tools. He has held varied positions involved with mission critical testing of military systems and development of software codes for electronic countermeasures, telemetry, and data acquisition systems for flight.
Vicki Pope is an American Society of Quality certified software quality engineer and the deputy software quality assurance manager for Lawrence Livermore National Laboratory (LLNL). Vicki analyzes legal and contractual SQA requirements and translates them into meaningful and usable information for software development and user teams at the Lab. This includes consulting and mentoring individual development/user teams, creating and teaching software-related courses, developing templates and job aids, and managing the safety software inventory for the LLNL.