State Machine Hazard Analysis Sothys ard Anaysis Like system hazard analysis, software(subsystem) hazard analysis requires a model of the components behavio Using code is too hard and too late Software is too complex to do analysis entirely in one's head Formal models are useful, but they need to be easily readable and usable without graduate-level training in discrete math Only a small subset of errors are detectable by automated tools: the most important ones require human knowledge and expertise Mathematical proofs must be understandable(checkable)by application experts Hazard analysis process requires that results can be openly reviewed and discussed Software State Machine Hazard analysis(2 State machines make a good model for describing and analyzing digital systems and software Match intuitive notions of how machines work(e.g, sets do not) Have a mathematical basis so can be analyzed and graphica notations that are easily understandable Previous problems with state explosion have been solved by meta-modeling"languages so complex systems can be handled Some analyses can be automated and tools can assist human analyst to traverse(search)model Our experience is that assisted search and understanding tools are the most helpful in hazard analysis Completely automated tools have an important but more limited role to playc ✢✡☎✣✞✡☎✆✞✙☎✕✔✥✧✦✩★☎✬ ￾✂✙☎✚✠✛✜✍☎✑✡✔☞✜✍☎✏✞✍☎✑✒✔✓✂✕☎✍☎✗✝✞✆✞✘✆ State Machine Hazard Analysis Like system hazard analysis, software (subsystem) hazard analysis requires a model of the component’s behavior. Using code is too hard and too late. Software is too complex to do analysis entirely in one’s head. Formal models are useful, but they need to be easily readable and usable without graduate−level training in discrete math. Only a small subset of errors are detectable by automated tools: the most important ones require human knowledge and expertise. Mathematical proofs must be understandable (checkable) by application experts. Hazard analysis process requires that results can be openly reviewed and discussed. ✡☎✣✞✡☎✆✞✙☎✕✔✥✧✦✩★☎✭ ￾✂✙☎✚✠✛✜✍☎✑✡✔☞✜✍☎✏✞✍☎✑✒✔✓✂✕☎✍☎✗✝✞✆✞✘✆ State Machine Hazard Analysis (2) State machines make a good model for describing and analyzing digital systems and software. Match intuitive notions of how machines work (e.g., sets do not) Have a mathematical basis so can be analyzed and graphical notations that are easily understandable. Previous problems with state explosion have been solved by "meta−modeling" languages so complex systems can be handled. Some analyses can be automated and tools can assist human analyst to traverse (search) model. Our experience is that assisted search and understanding tools are the most helpful in hazard analysis. c ✢ Completely automated tools have an important but more limited role to play