Page 317 - Software and Systems Requirements Engineering in Practice
P. 317
279
A
n
r
d
s
i
y
a
l
1
1
e
r
z
a
a
:
H
s
o
d
M
t
n
g
i
e
l
d
n
a
e
a
r
T
h
a
h
C
t
p
C h a p t e r 1 1 : H a z a r d A n a l y s i s a n d T h r e a t M o d e l i n g 279
Requirements in a domain considered safety critical need to have
special attributes so that they can be mined for metrics. These are
some of the attributes:
• Is the requirement part of a safety-critical system?
• Has this requirement been checked to see if a hazard analysis
needs to be performed?
• If so, is the requirement associated with a hazard analysis
(hyperlink to hazard analysis)?
• Does the requirement need mitigation (traces to mitigating
requirements)?
The attributes should be filled out at the appropriate level so that
a query will provide valid metrics. The attributes are usually
associated with the highest level requirement associated with the
hazard. Typical metrics that might be associated with hazard analysis
for a product or system are shown in Table 11.2.
Note that the metrics shown in Table 11.2 rely on the assignment
of levels to requirements, and level-sensitive queries to return metrics.
We know from the requirements pyramid that there is an explosion of
lower-level system requirements from higher-level customer
requirements, both functional and nonfunctional. Conducting a
hazard analysis at the wrong level might result in either overlooking
potential hazards or an overwhelming amount of effort needed.
The maturity of organizations’ RE processes can have an impact
on the effort to conduct a hazard analysis. Consider two situations
Metric How Calculated Interpretation
% of Total requirements This metric provides an estimate
requirements at designated level of the amount of work necessary
checked for vs. requirements to complete the hazard analysis. It
a potential checked at that also provides an indication of how
hazard level stable the system architecture is. If
the ratio is low, any architecture may
need to be changed significantly
to support mitigating functional or
nonfunctional requirements.
% of % of requirements The higher this number is, the
requirements at designated greater the potential risk of building
that need a level that have the product or system. A high
mitigation been identified as percent of requirements needing
needing mitigation mitigation may be an indication of
an unsafe design.
TABLE 11.2 Sample Hazard Analysis Metrics
