Deriving safety properties of critical software from the system risk analysis, application to ground transportation systems

Safety properties of critical software are consequences of the application safety properties (i.e. the front collision of two trains must not occur), and of the system design choices. The paper presents the first results of a SNCF and CESIR joint research project whose purpose is to design a constructive and formal method to derive, at each design level, the safety properties of subsystems from the System Preliminary Hazard Analysis. One of the goals of this method is to obtain, at the lowest level, properties of the safety software which can be checked either by formal proof or by testing. The method relies on two concepts: the safety kernel, proposed by J. Rushby (1989), and a generalization and formalization of the notion of “restrictivity”, used in classical safe hardware design. An application to the Maggaly (Lyon Subway) automatic pilot is presented