Developing safety-critical, software-intensive embedded systems are characterized by the need to identify hazards and to define hazard-mitigating requirements at the earliest possible stage of development, i.e., during requirements engineering. These hazard-mitigating requirements must be adequate in the sense that they must specify the functionality required by the stakeholders in addition to rendering the system sufficiently safe during operation. The adequacy of hazard-mitigating requirements is determined during requirements validation. Yet, the validation of the adequacy of hazard-mitigating requirements is burdened by the fact that hazards and contextual information about hazards are a work product of safety assessment, and hazard-mitigating requirements are a work product of requirements engineering. These work products are poorly integrated such that during validation, the information needed to determine the adequacy of hazard-mitigating requirements is not available to stakeholders. In consequence, there is the risk that inadequate hazard-mitigating requirements remain covert and the system is falsely considered safe. To alleviate this issue, we have previously proposed (Tenbergen et al., in: Proceedings of the 21st international working conference on requirements engineering: foundation for software quality, pp 17–32, 2015), improved, and evaluated (Tenbergen et al. in Requir Eng J 23(2):291–329, 2018. https://doi.org/10.1007/s00766-017-0267-9) a novel diagram type called “Hazard Relation Diagrams.” In this paper, we present a semiautomated formal approach and tool support for their generation. We make use of a running example to illustrate the concepts.

开发对安全至关重要的，软件密集型嵌入式系统的特点是，需要在开发的最早可能阶段即需求工程中识别危害并定义缓解危害的需求。这些减轻危害的要求必须足够，从某种意义上说，它们必须指定涉众所要求的功能，除了使系统在运行期间具有足够的安全性。在需求验证期间确定减轻危害的需求是否适当。但是，减轻危害的要求是否足够的事实是，危害和有关危害的上下文信息是安全评估的工作成果，而减轻危害的要求是需求工程的成果，这一事实使工作更加困难。这些工作产品集成度很差，因此在验证期间，利益相关者无法获得确定减轻危害要求是否足够所需的信息。结果，存在降低风险的缓解要求隐秘的风险，并且系统被错误地认为是安全的。为缓解此问题，我们先前曾提出（Tenbergen等，在：第21届需求工程国际工作会议论文集：软件质量基础，第17–32页，2015年）中进行了改进和评估（Tenbergen等。在Requir Eng J 23（2）：291–329，2018. https://doi.org/10.1007/s00766-017-0267-9中）是一种称为“危险关系图”的新型图类型。在本文中，我们提出了一种半自动化的形式化方法，并为其提供了工具支持。