Research Home
Current Research
Past Research
Seminar Series


Past Research Successes

The HISE group has had a number of successes in developing tools and techniques that have been adopted by industry and academia. The following are a few examples:


CADiZ is a set of free software tools that supports the ISO Standard Z notation. CADiZ was begun in mid-1989, when Professors John McDermid and Ian Wand decided that York needed to build a Z type-checker due to the absence of any suitable tool. The name CADiZ was suggested by John McDermid. The tool implementation has been done largely by Ian Toyn. This early version was taken up by York Software Engineering Ltd and marketed as a commercial product. It received a BCS Award for outstanding technological achievement in the computing field.

Funding for the CADiZ work has at various times been provided by BAe, BAE SYSTEMS, Daimler-Benz, DRA Malvern, DTI, EPSRC, EU, Rolls-Royce, SERC, and UGC.

For more information on CADIZ please contact Ian Toyn

The Goal Structuring Notation

The Goal Structuring Notation (GSN) was developed by HISE over ten years ago to support the development and presentation of safety arguments within safety cases. The Goal Structuring Notation (GSN) is a graphical argumentation notation that can be used to explicitly represent the individual elements of any safety argument (requirements, claims, evidence and context) and (perhaps more significantly) the relationships that exist between these elements (i.e. how individual requirements are supported by specific claims, how claims are supported by evidence and the assumed context that is defined for the argument). GSN has been adopted by a growing number of companies within safety-critical industries (such as aerospace, railways and defence) for the presentation of safety arguments within safety cases. The following list includes some of the applications of GSN to date:

  • Eurofighter Aircraft Avionics Safety Justification
  • Hawk Aircraft Avionics Safety Justification
  • U.K. Ministry of Defence Site Safety Justifications
  • U.K. Dorset Coast Railway Re-signalling Safety Justification
  • Submarine Propulsion Safety Justifications
  • Safety Justification of UK Military Air Traffic Management Systems
  • Swedish Air Traffic Control Applications
  • Rolls-Royce Trent Engine Control Systems Safety Arguments

In addition, GSN is being increasingly used for purposes outside of safety case development, such as security case development. GSN is now supported by a number of commercial tools.

Whilst the core notation and method of GSN is no longer a research focus for the research group, it is widely used in a number of our ongoing research projects. Research on GSN now focuses upon extensions to the core concept, examining issues such as support for multi-attribute dependability cases, modular safety case development and the explicit description of levels of assurance and confidence in safety arguments.

For more information on GSN please contact Tim Kelly.

Software Safety and Hazard Analysis Techniques

For many years HISE has been investigating practical approaches to software safety and hazard analysis. Two techniques of the techniques developed - SHARD (Software Hazard Analysis and Resolution in Design) and LISA (Low-level Interaction Safety Analysis) - are now being used successfully on projects in industry.


SHARD, a variant of the process industries' HAZOP technique, provides a structured approach to the identification of potentially hazardous behaviour in software systems. SHARD uses a set of guidewords to prompt the consideration of possible failure modes. Based on software failure classification research, five guidewords are used in the SHARD method - omission, commission, early, late and value failure. These guidewords are applied systematically to functions and/or flows in a software design. For example, consider the function provision of "secure and timely data flow" to and from an application process. One possible failure mode prompted by the "omission" guideword could be that the data is not sent from the source. Use of SHARD facilitates the systematic identification of software contributions to system level hazards and the definition of associated software safety requirements.


LISA was developed specifically to study the way in which an operating system manages system resources, both in normal operation and in the presence of hardware failures. Instead of analysing the system functionality, the LISA method focuses on the interactions between the software and the hardware on which it runs. A set of physical resources and timing events is identified, and a set of projected failure modes of these resources is considered. The aim of the analysis is to use a combination of inductive and deductive steps to produce arguments of acceptability demonstrating either that no plausible cause can be found for a projected failure, or that its consequences would always lead to an acceptable system state.

Both SHARD and LISA were used in the design and assessment of software systems in Eurofighter Typhoon. SHARD continues to be used extensively within BAE SYSTEMS.

For more information on SHARD and LISA please contact David Pumfrey.