An Approach to Designing Safe Embedded Software

  • Nancy G. Leveson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2491)


The complexity of most embedded software limits our ability to assure safety after the fact, e.g., by testing or formal verification of code. Instead, to achieve high confidence in safety requires considering it from the start of system development and designing the software to reduce the potential for hazardous behavior. An approach to building safety into embedded software will be described that integrates system hazard analysis, user task analysis, traceability, and informal specifications combined with executable and analyzable models. The approach has been shown to be feasible and practical by applying it to complex systems experimentally and by its use on real projects.


Modeling Language Hazard Analysis Fault Tree Design Safe Data Processing System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. CKI88.
    B. Curtis, H. Krasner and N. Iscoe. A field study of the software design process for large systems. Communications of the ACM, 31(2): 1268–1287, 1988.CrossRefGoogle Scholar
  2. JLHM91.
    M.S. Jaffe, N.G. Leveson, M.P.E. Heimdahl, and B. Melhart. Software requirements analysis for real-time process-control systems. IEEE Trans. on Soft. Eng., SE-17(3), Mar 1991.Google Scholar
  3. HL96.
    Heimdahl, M.P.E. and Leveson, N.G. Completeness and Consistency in Hierarchical State-Based Requirements. IEEE Trans. on Soft. Eng., SE-22, No. 6, June 1996.Google Scholar
  4. Joh80.
    Johnson, W.G. MORT Safety Assurance Systems, Marcel Dekker, Inc., 1980.Google Scholar
  5. Lev00a.
    Leveson, N.G. Intent Specifications. IEEE Trans. on Soft. Eng., Jan. 2000.Google Scholar
  6. Lev00b.
    Leveson, N.G. Completeness in Formal Specification Language Design for Process-Control Systems. ACM Formal Methods in Software Practice, Aug 2000Google Scholar
  7. LHH94.
    Leveson, N.G., Heimdahl, M.P.E., Hildreth, H., and Reese, J.D. Requirements Specification for Process-Control Systems. IEEE Trans. on Soft. Eng., SE-20, No. 9, Sept. 1994.Google Scholar
  8. LRK97.
    Leveson, N.G., Reese, J.D., Koga, S., Pinnel, L.D., and Sandys, S.D. Analyzing Requirements Specifications for Mode Confusion Errors. Int. Workshop on Human Error, Safety, and System Development, Glasgow, March 1997.Google Scholar
  9. LS87.
    Leveson, N.G. and Stolzy, J.L. Safety Analysis Using Petri Nets. IEEE Trans. on Soft. Eng., Vol. SE-13, No. 3, March 1987, pp. 386–397.CrossRefGoogle Scholar
  10. Neo01.
    Neogi, N. Hazard Elimination Using Backward Reachability and Hybrid Modeling Techniques. Ph.D. Dissertation, Aeronautics and Astronautics, MIT, May 2002.Google Scholar
  11. RL87.
    Reese, J.D. and Leveson, N.G. Software Deviation Analysis. International Conference on Software Engineering, Boston, May 1997.Google Scholar
  12. RZK00.
    Rodriguez, M., Zimmerman, M., Katahira, M., de Villepin, M., Ingram, B., and Leveson, N.G. Identifying Mode Confusion Potential in Software Design. Digital Aviation Systems Conference, Philadelphia, October 2000.Google Scholar
  13. SW95.
    Sarter, N.D. and Woods, D. “How in the World did I Ever Get into That Mode?” Human Factors 37, 5–19.Google Scholar
  14. WCK91.
    Wiener, E.L., Chidester, T.R., Kanki, B.G., Palmer E.A., Curry, R.E., and Gregorich, S.E. The Impact of Cockpit Automation on Crew Coordination and Communications. NASA Ames Research Center, 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Nancy G. Leveson
    • 1
  1. 1.Massachusetts Institute of TechnologyCambridgeUSA

Personalised recommendations