Tim Patrick Kelly

Tim Patrick Kelly
The University of York · Department of Computer Science

MA Cantab, DPhil York

About

233
Publications
70,867
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,640
Citations
Additional affiliations
January 1998 - December 2010
The University of York

Publications

Publications (233)
Conference Paper
Full-text available
Safety analysis is an important aspect in Safety-Critical Systems Engineering (SCSE) to discover design problems that can potentially lead to hazards and eventually, accidents. Performing safety analysis requires significant manual effort –- its automation has become the research focus in the critical system domain due to the increasing complexity...
Article
The paper, by Simon Foster, Yakoub Nemouchi, Mario Gleirscher, Ran Wei and Tim Kelly, published in The Formal Aspects of Computing—Applicable Formal Methods (June 2021), explores the introduction of Isabelle/SACM into formal methods of assurance.
Article
Full-text available
Assurance cases are often required to certify critical systems. The use of formal methods in assurance can improve automation, increase confidence, and overcome errant reasoning. However, assurance cases can never be fully formalised, as the use of formal methods is contingent on models that are validated by informal processes. Consequently, assura...
Preprint
The open and cooperative nature of Cyber-Physical Systems (CPS) poses new challenges in assuring dependability. The DEIS project (Dependability Engineering Innovation for automotive CPS. This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 732242, see http://www.deis-pro...
Preprint
Assurance cases are often required to certify critical systems. The use of formal methods in assurance can improve automation, increase confidence, and overcome errant reasoning. However, assurance cases can never be fully formalised, as the use of formal methods is contingent on models that are validated by informal processes. Consequently, assura...
Preprint
Full-text available
Cyber-Physical Systems (CPS) harbor the enormous potential for societal improvement in terms of safety, comfort and economic efficiency. However, these benefits will only be unlocked if the safety of these systems can be assured with a sufficient level of confidence. Traditional safety engineering and assurance approaches alone cannot address the C...
Chapter
Full-text available
Cyber-Physical Systems (CPS) harbor the enormous potential for societal improvement in terms of safety, comfort and economic efficiency. However, these benefits will only be unlocked if the safety of these systems can be assured with a sufficient level of confidence. Traditional safety engineering and assurance approaches alone cannot address the C...
Conference Paper
For modern safety-critical systems we aim to simultaneously maintain safety whilst taking advantage of the benefits of system interconnectedness and faster communications. Many standards have recognised and responded to the serious security implications of making these connections between systems that have traditionally been closed. In addition, th...
Conference Paper
Full-text available
Ensuring appropriate dependability of modern industrial systems is becoming more and more challenging due to the raising complexity of modern embedded systems and the introduction of connectivity, possibly leading to ad-hoc creation of systems' configuration. State-of-the-art dependability analysis techniques, applied during design phase, provide l...
Chapter
Assurance cases (ACs) are often required to certify critical systems. The use of integrated formal methods (FMs) in assurance can improve automation, increase confidence, and overcome errant reasoning. However, ACs can rarely be fully formalised, as the use of FMs is contingent on models that are validated by informal processes. Consequently, assur...
Preprint
Full-text available
Assurance cases (ACs) are often required to certify critical systems. The use of integrated formal methods (FMs) in assurance can improve automation, increase confidence, and overcome errant reasoning. However, ACs can rarely be fully formalised, as the use of FMs is contingent on models that are validated by informal processes. Consequently, assur...
Article
Safety‐critical systems are of paramount importance for many application domains, where safety properties are a key driver to engineer critical aspects and avoid system failures. For the benefits of large‐scale reuse, software product lines (SPL) have been adopted in critical systems industry. However, the integration of safety analysis in the SPL...
Chapter
Current research presents several approaches to safety-security technical risk analysis. Indeed, many safety standards now have the requirement that security must be considered. However, with greater knowledge of what makes assuring both attributes in an industrial context difficult, it becomes clear that it is not just the technical assurance that...
Chapter
Regulatory bodies, industry and academia present a plethora of approaches for risk analysis and engineering for safety and security. However, few standards and approaches discuss the management of both safety and security risks. Fewer yet provide detail on how the two attributes interact within a given system. In this paper, the Safety-Security Ass...
Preprint
Full-text available
Assurance cases are often required as a means to certify a critical system. Use of formal methods in assurance can improve automation, and overcome problems with ambiguity, faulty reasoning, and inadequate evidentiary support. However, assurance cases can rarely be fully formalised, as the use of formal methods is contingent on models validated by...
Preprint
Full-text available
Assurance cases are used to demonstrate confidence in system properties of interest (e.g. safety and/or security). A number of system assurance approaches are adopted by industries in the safety-critical domain. However, the task of constructing assurance cases remains a manual, trivial and informal process. The Structured Assurance Case Metamodel...
Article
Assurance cases are used to demonstrate confidence in system properties of interest (e.g. safety and/or security). A number of system assurance approaches are adopted by industries in the safety-critical domain. However, the task of constructing assurance cases remains a manual, lenghty and informal process. The Structured Assurance Case Metamodel...
Preprint
Full-text available
Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even wi...
Article
Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons, such as mismatched processes, inadequate information, differing use of language and philosophies, etc. Many co-assurance techniques rely on disregarding some of these challenges to present a unified methodology. Even with this s...
Conference Paper
Full-text available
System assurance cases are used to demonstrate confidence in system properties of interest (e.g. safety and/or security). They are key artefacts for safety and/or security acceptance for systems before they become operational. Cyber-Physical Systems (CPS) form a new technological frontier for their vast economic and societal potentials in various d...
Article
It is a common practice in modelling languages to provide their users with a set of visual notations as a representation of semantic constructs. The use of visual notation is believed to help communicate complex information, especially when communicating with non-technical users. Therefore, research in the design of visual notation continues to evo...
Conference Paper
Full-text available
Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even wi...
Conference Paper
Software systems are increasingly expected to cope with variable workloads, component failures and other uncertainties through self-adaptation. As such, self-adaptive software has been the subject of intense research over the past decade [3, 4, 9, 10].
Chapter
The open and cooperative nature of Cyber-Physical Systems (CPS) poses new challenges in assuring dependability. The DEIS project (Dependability Engineering Innovation for automotive CPS. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 732242, see http://www.deis-pro...
Article
Full-text available
In system development, epistemic uncertainty is an ever-present possibility when reasoning about the causal factors during hazard analysis. Such uncertainty is common when complicated systems interact with one another, and it is dangerous because it impairs hazard analysis and thus increases the chance of overlooking unsafe situations. Uncertainty...
Conference Paper
Full-text available
Some researchers have attempted to tailor agile methods to comply with specific standards (e.g. SafeScrum and IEC61508). However, this risks over-configuring the agile method in such a way as to make it difficult to apply it to another safety standard. Our approach sought to look at the problems of addressing the more fundamental principles of safe...
Conference Paper
Full-text available
In system development, epistemic uncertainty is an ever-present possibility when reasoning about the causal factors during hazard analysis. Such uncertainty is common when complicated systems interact with one another, and it is dangerous because it impairs hazard analysis and thus increases the chance of overlooking unsafe situations. Uncertainty...
Article
Full-text available
Digitally enabled healthcare services combine socio-technical resources to deliver the required outcomes to patients. Unintended operation of these services may result in adverse effects to the patient. Eliminating avoidable harm requires a systematic way of analysing the causal conditions, identifying opportunities for intervention. Operators of s...
Article
Full-text available
Building on concepts drawn from control theory, self-adaptive software handles environmental and internal uncertainties by dynamically adjusting its architecture and parameters in response to events such as workload changes and component failures. Self-adaptive software is increasingly expected to meet strict functional and non-functional requireme...
Article
Full-text available
Interventions to reduce risk often have an associated cost. In UK industries decisions about risk reduction are made and justified within a shared regulatory framework that requires that risk be reduced as low as reasonably practicable. In health care no such regulatory framework exists, and the practice of making decisions about risk reduction is...
Conference Paper
Safety cases play a significant role in the development of safety-critical systems. The key components in a safety case are safety arguments, that are designated to demonstrate that the system is acceptably safe. Inappropriate reasoning with safety arguments could undermine a system’s safety claims which in turn contribute to safety-related failure...
Conference Paper
When creating an assurance justification for a critical system, the focus is often on demonstrating technical properties of that system. Complete, compelling justifications also require consideration of the processes used to develop the system. Creating such justifications can be an onerous task for systems using complex processes and highly integr...
Conference Paper
Full-text available
As part of our research concerning the integration of assurance case development with Scrum, we are planning to conduct semi-structured interviews with participants to gain feedback on a proposed approach. We will be interviewing individuals who have been involved with safety-critical systems development and Agile methods. Participants will be pres...
Conference Paper
The 4+1 principles document common principles of software safety assurance that can be observed from software safety standards and best practice. These principles are constant across domains and across projects, and can be regarded as the immutable core of any software safety justification. The principles also help maintain understanding of the 'bi...
Article
In this paper we describe the results of a recent practitioner survey designed to elicit the opinions as to the challenges and opportunities posed by the application of agile development methods in the field of safety critical systems development. In particular, the survey explored the relationship between three key activities in safety engineering...
Article
Full-text available
Abstract Healthcare organisations are often encouraged to learn from other industries in order to develop proactive and rigorous safety management practices. In the UK safety–critical industries safety cases have been used to provide justification that systems are acceptably safe. There has been growing interest in healthcare in the application of...
Article
Full-text available
Software Product Lines (SPL) provides an engineering basis for the systematic reuse of artefacts used for development, assessment, and management of critical embedded systems. Hazards and their causes may change according to the selection of variants in a particular SPL product. As such, existing safety analysis assets such as fault trees and FMEA...
Article
Full-text available
Context: Many critical systems must comply with safety standards as a way of providing assurance that they do not pose undue risks to people, property, or the environment. Safety compliance is a very demanding activity, as the standards can consist of hundreds of pages and practitioners typically have to show the fulfilment of thousands of safety-r...
Conference Paper
Full-text available
Safety cases present the arguments and evidence that can be used to justify the acceptable safety of a system. Many secondary factors such as the tools used, the techniques applied, and the experience of the people who created the evidence, can affect an assessor's confidence in the evidence cited by a safety case. One means of reasoning about this...
Conference Paper
Full-text available
Safety cases play a significant role in the development of safety-critical systems. The key components in a safety case are safety arguments, that are designated to demonstrate that the system is acceptably safe. Inappropriate reasoning with safety arguments could undermine a system's safety claims which in turn contribute to safety-related failure...
Conference Paper
Full-text available
The FMEA/FMECA analysis technique has been used for over 30 years in the automotive industry in the context of product quality and robustness. More recently the discipline of functional safety has been adopted by the industry for analysing software-based control systems. Both of these approaches seek to predict undesirable outcomes that may occur a...
Article
Full-text available
The FMEA/FMECA analysis technique has been used for over 30 years in the automotive industry in the context of product quality and robustness. More recently the discipline of functional safety has been adopted by the industry for analysing software-based control systems. Both of these approaches seek to predict undesirable outcomes that may occur a...
Conference Paper
Full-text available
Safety critical systems developed as part of a product line must still comply with safety standards. Standards use the concept of Safety Integrity Levels (SILs) to drive the assignment of system safety requirements to components of a system under design. However, for a Software Product Line (SPL), the safety requirements that need to be allocated t...
Article
In this paper we describe how the automated instantiation of assurance case arguments will require information to be extracted from multiple models of a system and its environment and engineering processes, e.g. safety and verification processes. For this to be done successfully the dependencies between the models must be explicitly, completely and...
Conference Paper
Full-text available
Cyber-physical systems are characterized by an increasing number of interconnected features implementing complex functionali-ties. In many domains, these new functionalities perform more and more safety-critical tasks. To argue about the safety of such systems Safety Cases are a proven technique that allows a systematic argumentation. Safety Cases...
Conference Paper
Full-text available
Cyber-physical systems are characterized by an increasing number of interconnected features implementing complex functionali-ties. In many domains, these new functionalities perform more and more safety-critical tasks. To argue about the safety of such systems Safety Cases are a proven technique that allows a systematic argumentation. Safety Cases...
Conference Paper
Full-text available
The effective reuse of design assets in safety-critical Software Product Lines (SPL) would require the reuse of safety analyses of those assets in the variant contexts of certification of products derived from the SPL. This in turn requires the traceability of SPL variation across design, including variation in safety analysis and safety cases. In...
Conference Paper
Full-text available
Engineers of safety-critical systems have a duty to address ethical is-sues that may arise in the development, assessment, operation and maintenance of these systems. Dealing with ethical dilemmas during safety risk assessment is particularly challenging, especially when making and justifying decisions concerning risk acceptability. This is particu...
Conference Paper
Assurance cases are used to demonstrate confidence in properties of interest for a system, e.g. for safety or security. A model-based assurance case seeks to bring the benefits of model-driven engineering, such as automation, transformation and validation, to what is currently a lengthy and informal process. In this paper we develop a model-based a...
Conference Paper
Full-text available
When using a D-MILS approach for high-assurance systems it is often necessary to develop an assurance case, containing an argument supported by evidence, that demonstrates that the system has the required assurance properties (such as security or safety). In this paper, we describe our approach for developing a D-MILS assurance case, which is based...
Article
Full-text available
Assurance cases are used to demonstrate confidence in properties of interest for a system, e.g. For safety or security. A model-based assurance case seeks to bring the benefits of model-driven engineering, such as automation, transformation and validation, to what is currently a lengthy and informal process. In this paper we develop a model-based a...
Data
Full-text available
Article
To date, work on the development of assurance cases has largely been concerned with the broad structure and content of arguments to contextualise the data. However, at a more detailed level, use of natural language in an argument can lead to conflicting terminology, to difficulties in understanding the nature of the claims being made or to logical...
Article
Full-text available
Software systems that rely on ad-hoc networks are increasingly complex and prevalent. Some of these systems provide vital functionality to emergency services, military operations, and disaster relief; such systems may have significant impact on the safety of people involved in those operations. It is therefore important that those networks support...
Conference Paper
Full-text available
A ‘strategy’ in Goal Structuring Notation (GSN) aims to help safety-case developers and reviewers to understand the inferences in a hierarchy of safety claims. However, the identification and elaboration of ‘strategies’ in argument development is not always straightforward in practice. In this paper, we revisit the role of strategies in the develop...
Conference Paper
Dealing with uncertainty is an important and difficult aspect of analyses and assessment of complex systems. A real-time large-scale complex critical system involves many uncertainties, and assessing probabilities to represent these uncertainties is itself a complex task. Currently, the certainty with which safety requirements are satisfied and the...
Conference Paper
The interest in and need for new safety assurance and certification approaches is undoubtedly increasing. First of all, critical systems are becoming more pervasive every day. They are used for a wide range of daily activities related to transportation, healthcare, or energy consumption, and for increasingly novel applications. Fully implantable ar...
Conference Paper
One means of supporting software evolution is to adopt an architecture where the function of the software is defined through reconfiguring the flow of execution and parameters of pre-existing components. For such software it is desirable to maximise the reuse of assurance assets, and minimise re-verification effort in the presence of change. In thi...
Article
Full-text available
A da U ser Journal V olum e 22 , N u m b e r 1 , M a rch 2 0 0 1 Abstract To date, work on the development of assurance cases has largely been concerned with the broad structure and content of arguments to contextualise the data. However, at a more detailed level, use of natural language in an argument can lead to conflicting terminology, to diffic...
Conference Paper
Full-text available
In many safety-critical industries, developers and operators are required to construct and present well reasoned arguments that their systems achieve acceptable levels of safety. These arguments (together with supporting evidence) are typically referred to as a “safety case”. Safety arguments historically have been communicated through narrati...