Combined Assessment of Software Safety and Security Requirements: An Industrial Evaluation of the CHASSIS Method

Christian Raspotnig (ATM System Development, Avinor Air Navigation Services, Gardermoen), Peter Karpati (Institute for Energy Technology, Halden, Norway) and Andreas L. Opdahl (Department of Information Science and Media Studies, University of Bergen, Bergen, Norway)
Copyright: © 2018 |Pages: 69
EISBN13: 9781522561071|DOI: 10.4018/JCIT.2018010104
Teaching Case PDF Download
Open access cases are freely available for download
OnDemand PDF Download
Download link provided immediately after order completion


Safety is a fundamental concern in modern society, and security is a precondition for safety. Ensuring safety and security of complex integrated systems requires a coordinated approach that involve different stakeholder groups going beyond safety and security experts and system developers. The authors have therefore proposed CHASSIS (Combined Harm Assessment of Safety and Security for Information Systems), a method for collaborative determination of requirements for safe and secure systems. In this article, the authors evaluate CHASSIS through industrial case studies of two small-to-medium sized suppliers to the air-traffic management (ATM) sector. The results suggest that CHASSIS is easy to use, and that handling safety and security together provides benefits because techniques, information, and knowledge can be reused. The authors conclude that further exploration and development of CHASSIS is worthwhile, but that better documentation is needed—including more detailed process guidelines—to support elicitation of security and safety requirements and to systematically relate them to functional requirements.
InfoSci-OnDemand Powered Search