In this report I detail a System-Theoretic Process Analysis (STPA) hazard analysis of the tool integration of development environments for embedded systems. Building on results from previous studies I generalize and expand on earlier findings regarding the relationship between safety and tool integration.
To prepare for the analysis I customized STPA for the context of tool integration. This customization allowed me to subsequently design and analyze three versions of a tool chain originally provided by an industrial partner. A net result of 85, 98 and 73 risks was identified, in comparison to 25 integration weaknesses identified through expert knowledge. The design of the different versions of the tool chain and a comparison of the identified risks with the integration weaknesses allowed me to validate the usefulness of STPA for both identifying and correctly categorizing risks and causes in the context of tool integration. An analysis of my results also points out the fact that STPA is not a silver bullet, without enough expertise it is easy to omit important parts of process models and thus arrive at incomplete conclusions.
In regard to the relationship between safety and tool integration nine properties were identified, properties that need to be supported correctly to avoid hazards in the context of tool integration. These properties require support throughout a noticeable part of a development environment to have an impact and derive much of that impact from the possibility to centralize them. They also interrelate, so that often several of them need to be handled to mitigate one type of risk. However, introducing support for them across a whole development environment is likely to be costly, or even impossible. Furthermore, introducing support for these properties will mitigate some risks, but also create other risks at higher levels of organization.
These properties therefore point to the size a development environment, the number of contexts towards which the development environment can be verified and the effort required to ensure the added requirements at higher levels of organization as deciding factors on whether the effort to support them should be made (other efforts, more efficient in those particular cases, could otherwise be considered). The existence of these properties also point to the possibility of developing and pre-qualifying tools and tool chains based on the assumption that some or all of these properties will be supported by the final development environment. This could potentially lower, or at least distribute, the cost of the final qualification.
KTH Royal Institute of Technology, 2012. , 65 p.