The 11th IASTED International Conference on
Software Engineering
SE 2012

June 18 – 20, 2012
Crete, Greece


The engineering of safety- and security-related requirements for software-intensive systems

Mr. Donald Firesmith
Carnegie Mellon University, USA


Many software-intensive systems have significant safety and security ramifications and need to have their associated safety- and security-related requirements properly engineered. Unfortunately, inadequate requirements are a major cause of accidents involving software-intensive systems, and poor security requirements often impede the early incorporation of security concerns into the architecture. In practice, there is very little interaction between the requirements, safety, and security disciplines and little collaboration between their respective communities. Most requirements engineers, safety engineers, and security engineers know little about their respective disciplines. Also, safety and security engineering typically concentrates on architectures and designs rather than requirements because hazard and threat analysis typically depends on the identification of hardware and software components, the failure of which can cause accidents and vulnerabilities in which can enable attacks. This leads to safety- and security-related requirements that are often ambiguous, incomplete, and even missing.
The tutorial begins with a single common realistic example of a safety and security critical system that will be used throughout to provide good examples of safety- and security-related requirements. The tutorial provides a consistent ontology of safety, security, and requirements concepts, provides clear definitions and descriptions of the different kinds of safety- and security-related requirements and finishes with a practical process for producing them.
During the last two years, earlier versions of this tutorial were given at the Kärnteknik-2011 (Nuclear Technology 2011) Nordic Symposium in Stockholm, at System Engineering Challenges International Workshop in Russia (RuSEC 2010) in Moscow, and the 32nd ACM/IEEE International Conference on Software Engineering (ICSE'2010) in Cape Town, South Africa. A book by the same title is scheduled to be completed this year.”


Provide an understanding of the basic concepts underlying safety, security, and requirements engineering as well as cohesive consistent process for effectively and efficiently engineering safety- and security-related requirements.

Tutorial Materials

The tutorial starts out with an overview of a realistic safety- and security-critical system that will be used as an ongoing example, specifically an automated people mover to be used by patrons of a very large zoo. The tutorial provides sufficient information about the example to enable the attendees to practice engineering the system’s different kinds of safety- and security-related requirements.
The second section of the tutorial provides an ontology defining the fundamental concepts underlying safety, security, and requirements engineering.
The third section of the tutorial identifies, defines, and discusses the four major kinds of safety- and security-related requirements: (1) safety and security requirements (a form of quality requirement), (2) safety- and security-significant requirements (including safety- and security-critical functional, data, interface, and other quality requirements), (3) safety and security subsystem/functional requirements, and (4) safety and /security constraints. Techniques for engineering these different kinds of requirements as well as examples of these requirements will be provided.
The fourth and final section of the tutorial covers the relevant subset of safety and security engineering and provides a generic process for producing safety- and security-related requirements. After providing an overview, it covers safety/security program planning during which safety and security policies are identified and safety/security goals are included in ConOps documents or vision statements. Next covered is safety/security analysis consisting of asset analysis, safety/security event (i.e., accident, attack, and incident) analysis, system-external agent/attacker analysis, system-internal vulnerability analysis, danger (hazard/threat) analysis, safety risk analysis, safety/security significance analysis, and defense (safeguard/countermeasure) analysis, and requirements identification/analysis/specification during which the four kinds of safety- and security-related requirements are identified, analyzed, and specified.

Target Audience

The intended audience of this tutorial includes requirements engineers, safety engineers, security engineers, consultants, academics, and anyone interested in the engineering of safety- and security-related requirements.

Background Knowledge Expected of the Participants

A very basic understanding of requirements engineering, safety, and security is useful, but not necessary.

Qualifications of the Instructor(s)

Tutorial Session Portrait

Donald Firesmith is a senior member of the technical staff at the SEI, working in the acquisition support program where he helps the US Department of Defense acquire large complex software-intensive systems. With over 25 years of industry experience, he has published 5 software engineering books, primarily in the areas of process and object orientation. He is currently finishing the manuscript of a book, on which this course is built. He is the founding chair of the OPEN Process Framework (OPF) Repository organization, which provides the world's largest free open-source website documenting over 1,100 reusable method components. He has a regular column on requirements engineering in the Journal of Object Technology (JOT). He has published dozens of articles (see, spoken at numerous conferences, and has been the program chair or on the program committee of several conferences. He has taught several hundred courses in industry and many tutorials at conferences.