Hazard Assessment of Software Trouble Reports (STRs)

摘要

There has been much discussion, confusion and controversy outside of the safety community (and often within the safety community) about the rationale and methodology behind safety evaluation of STRs. Specifically, Safety Engineers and System Engineers fail to understand how an STR with priority less than (one) 1 can be considered to have safety impact. This confusion is reinforced by the literal interpretation of the military's standard for software development and documentation (MIL-STD-498), which states that priority (pri) 1 applies to an STR if the problem will, "Jeopardize safety, security, or other requirement designated "critical"." For the purpose of both safety risk assessment and programmatic risk assessment, the literal interpretation of this MIL-STD-498 requirement is inadequate. This paper addresses the identification and hazard assessment of STRs with safety impact, with emphasis on STRs with priorities other than 1. The reasons that lower priority STRs can have safety impact are explored; the problems caused by constraining safety STRs to priority 1 are described, as are processes for assessing risk associated with STRs. A glossary for some of the terms used in this report is presented at the end.