978-1-4244-2173-2/08/$25.00 ©2008 IEEE Interface Hazard Analysis for System of Systems Patrick J. Redmond System Certification and Integrity Directorate General, Technical Airworthiness RAAF Base Williams Laverton VIC 3027 Australia patrick.redmond@defence.gov.au James Bret Michael and Paul V. Shebalin Department of Computer Science and Department of Systems Engineering Naval Postgraduate School Monterey, CA 93943 USA bmichael@nps.edu, pshebali@nps.edu Abstract - The next generation of military capabilities will hinge on systems of systems. Such systems can introduce emergent hazards that must be adequately dealt with before the system of systems can be employed. Traditional hazard analysis techniques do not address the complexity and size of systems of systems. In this paper we describe a technique for conducting interface hazard analysis for systems of systems. The technique is compatible with current system safety processes. Keywords: Hazard analysis, interface, system of systems, safety, software 1 Introduction There are currently several large, high-profile Department of Defense acquisition programs that are seeking to develop systems of systems to address mission needs that might otherwise prove impossible to support. A system of systems is an integrated set of systems that uses each system in a coordinated fashion to achieve a mission that the individual systems cannot achieve on their own. The Ballistic Missile Defense System (BMDS) and the U.S. Army’s Future Combat System (FCS) are example of systems of systems. These systems of systems are extremely large, complex and safety-critical. They employ interdependencies that further complicate systems operation. A responsible employment of a system of systems requires a system safety program that ensures that the risk of employment is tolerable. However, traditional system hazard analysis techniques do not help the safety engineer cope with the size or complexity of systems of systems [2]. In addition, a system of systems can be reconfigurable, making it challenging to characterize the behavior of the system of systems from a safety perspective. New hazard analysis techniques are required to deal with systems of systems. These techniques must be capable of handling the large scale of a system of systems and produce meaningful results while remaining economically practical. In this paper we discuss the characteristics of systems of systems that render most hazard analysis technique ineffective and the requirements that any new hazard analysis technique must meet. The large scale of systems of systems, and the potentially large number of hazards portends that hazard analysis must be subdivided into manageable pieces; this can be done by subdividing the full set of hazards into coherent hazard types that can be addressed individually. We introduce a technique for analyzing interface hazards for system of systems. 2 System Hazard Analysis The primary task within a system safety program is a hazard analysis. Hazard analyses can be performed at different times within the system life cycle, at different levels within the system design and for the purpose of identifying different types of hazards. A system safety program should be designed for a specific application, and is likely to include a number of different hazard analyses and several techniques for performing each hazard analysis. The most common hazard analysis is a system hazard analysis, which commences early in the life cycle (as soon as sufficient data is available for the relevant hazard analysis technique) and continues as the system evolves. The purpose of a system hazard analysis is to identify and assess system-level hazards. System-level hazards are primarily hazards associated with the interfaces and interactions between subsystems, but may also include potentially safety-critical human errors [3]. There are a large number of techniques for conducting a system hazard analysis. A system hazard analysis technique must support both identifying hazards in a cost-effective fashion and employing a formal approach that either provides complete coverage of the system, or clearly identifies the aspects of the system that have not been analyzed. The choice of a system hazard analysis technique is application specific, and will depend upon the criticality and complexity of the system as well as the amount of system information that is available. The primary output of a system hazard analysis is a system hazard analysis report. This report is effectively a list of all system hazards, including an assessment of the risk associated with each hazard and the recommended strategy for mitigating each hazard. 3 Systems of Systems Hazard Analysis A system-of-systems hazard analysis should be conducted within the system safety program in order to maximize compatibility with system hazard analyses and to minimize the impact on the training, experience and knowledge base of the system safety engineering