Safety is typically defined as freedom from accidents or losses [ 7 ]. Thus, safety aims at a methodology avoiding present and potential losses which can be caused by unexpected events (called accidents) or poor (unreliable) service of the system.

Traditionally, an accident is seen as an undesired and unplanned (but not necessarily unexpected) chain of events that results in loss. Sometimes this chain of events does not cause a loss at a given time and under specific conditions, but that loss could potentially be incurred under different conditions; such events are called “near miss” or “incident”.

To manage the avoidance of accidents, safety engineering looks for their possible causes (called hazards) and assesses the probability of an accident along with the seriousness of resultant losses (called risk). A hazard is a state or set of conditions of a system (or an object) that, together with other conditions in the environment of the system (or object), will lead inevitably to an accident (loss event). Thereby, a hazard is defined with respect to the environment of the system or component, and what constitutes a hazard depends upon where the boundaries of the system are drawn.

Risk is the severity of a hazard combined with (1) the likelihood of the hazard leading to an accident (sometimes called danger) and (2) hazard exposure or duration (sometimes called latency) [ 7 ]. A common way to assign risk is through Safety Integrity Level (SIL), but other measures exist, depending of the adopted safety standard [ 8 ].

Reliability is the probability that a piece of equipment or component performs its intended function for a prescribed time and under stipulated environmental conditions. While dependability is concerned with the incidence of failures and aims at increasing reliability; safety is concerned with the occurrence of accidents or mishaps [ 9 ]. Where system failures are defined in terms of system services, safety is defined in terms of external consequences. If the required system services are specified incorrectly, then a system may be unsafe, though perfectly reliable. Conversely, it is feasible for a system to be safe, but unreliable. Enhancing the reliability of software components, though desirable and perhaps necessary, is not sufficient to ensure that they will not contribute to a mishap [ 7 ].

Hazard analysis is the process of identifying the different types of hazards a system may experience and their causes. Hazard analysis is performed at several different stages in the design lifecycle (e.g., preliminary, subsystem, system, and operational hazard analysis), and there are a number of supporting methodologies (e.g., hazard and operability studies, or HAZOPS, fault tree analysis, or FTA, and failure modes and effects analysis, or FMEA [ 7 ], [ 5 ].

The basic idea in safety is to focus on the consequences that must be avoided rather than on the requirements of the system itself (since those might be the very source of undesired consequences). Next, because the occurrence or nonoccurrence of a mishap may depend on circumstances beyond the control of the system under consideration, attention is focused on preventing hazards, which are conditions (i.e., states of the controlled system) that can lead to a mishap, rather than preventing mishaps directly.

Different techniques and strategies can be applied in order to eliminate or mitigate system hazards. Regarding the design of system safety measures, a set of five principles has been defined in [ 10 ], which can be considered general and thus applicable to software.

1) The fail-safe principle. This principle requires that the failure of a component results in an operational state that cannot contribute to the chain of events potentially causing an accident. This principle is not always realizable, but should be considered for every component. 2) The safety margins principle states that the “safe” operational state must be defined with certain distance (or tolerance) from the hazard threshold, so as to accomodate uncertainties. 3) The un-graduated response principle recommends to not apply countermeasures progressively, but to try the most aggressive approach first, in order to block the chain of events potentially leading to a hazard. This can be seen as a reinterpretation of the rules of intrinsically safe design. 4) The defense-in-depth principle is a central principle for safety design, which recommends to define a multiplicity of safety measures, of diverse nature, and acting on different system levels. 5) The observability-in-depth principle requires the system design to provide means to monitor the faulty/non-faulty state of the component, so the user cannot have a false sense of safety due to lack of information.

These principles are related to the notions of hazard and the existence of a chain of event leading to it. Some work has criticized the rigidity of this approach, advocating the use of feedback-loop control in order to identify and act upon hazardous states [ 11 ].

Complementary to the recommendations for the design of safety measures, some researchers have focused on the provision of adequate safety assurance. Assurance cases are documented bodies of evidence that provide valid and convincing arguments that a system is adequately dependable in a given application and environment [ 12 ], [ 13 ]. Assurance cases are widely required by regulation for safety-critical systems in the EU. There have been several graphical notation systems proposed for assurance cases. GSN (Goal Structuring Notation) and CAE (Claim, Argument, Evidence) are such two notation systems, and a standardization effort for these notation systems have been attempted in OMG (Object Management Group). Attempts to give formal semantics to this notation have been published recently [ 14 ].

When elaborating an assurance case for any safety-related system containing software, five principles must be followed [ 12 ]. The first four principles can be considered in isolation, while the fifth principle (called Principle 4+1 by the authors) is transversal to the others.

1) Software safety requirements shall be defined to address the software contribution to system hazards. [Requirement validity] 2) The intent of the software safety requirements shall be maintained throughout requirements decomposition. [Requirement decomposition] 3) Software safety requirements shall be satisfied. [Requirements satisfaction] 4) Hazardous behaviour of the software shall be identified and mitigated. [Hazardous software behaviour] 5) The confidence established in addressing the software safety principles shall be commensurate to the contribution of the software to system risk. It is necessary to provide evidence that the previous four principles have been followed. [Confidence]

Note that the first three principles concern traditional and important aspects of requirements engineering, such as elicitation, decomposition and verification of requirements. The fifth principle is also related to RE through the notions of traceability and accountability, which are needed in order to collect evidence supporting the safety case.

Sustainability has emerged as an area of significant concern regarding the potential consequences for humanity as a result of the rapid depletion of the planet Earth’s finite natural resources, coupled with exponential economic and population growth [ 15 ]. The concept of sustainability has also emerged as an area of research within the field of computing as a result of the pervasiveness and dependency of software systems in society [ 16 ]. For example, the development of sustainable software has been identified as one of the key challenges in the field of computational science and engineering [ 17 ]. While the importance of sustainability is increasingly recognized, many software systems are unsustainable, and the broader impacts of most software systems on sustainability are unknown. However, the concept of sustainability is a term that remains ambiguous and widely abused sixteen years after the Brundtland Commission [ 15 ].

Derived from the Latin sustinere, sustainability can be defined as ‘capable of being endured’ and ‘capable of being ‘maintained’ [ 18 ]. This simplicity of this definition fails to capture the complexity of the the concept that can be viewed from a range of different dimensions [ 19 ]: • Economic: relates to financial aspects and business value.

It includes capital growth and liquidity, questions of investment, and financial operations.. • Environmental: relates to the use of and care for natural resources. It includes questions ranging from immediate waste production and energy consumption to the balance of local ecosystems and concerns of climate change. • Individual: relates to individual freedom and agency (the ability to act in an environment), human dignity and fulfillment. It includes the ability of individuals to thrive, exercise their rights and develop freely. • Social: concerns relationships between individuals and groups. For example, this aspect covers the structures of mutual trust and communication in a social system and the balance between conflicting interests. • Technical: relates to the ability to maintain and evolve artificial systems (such as software) over time. This refers to maintenance and evolution, resilience, and the ease of system transitions.

While there is currently no agreed definition of the concept of sustainability within the field of computing there is growing consensus that sustainability should be considered as a firstclass, non-functional requirement [ 20 ] [ 1 ]. While this position has been suggested by a number of commentators [ 21 ] [ 22 ], it has been made without explicit reference to the characteristics or qualities that sustainability would be composed of. In contrast, Venters et. al., [ 23 ] defined software sustainability as a composite, non-functional requirement which is a measure of a systems: • Extensibility: the software’s ability to be extended and the level of effort required to implement the extension; • Interoperability: the effort required to couple software systems together. • Maintainability: the effort required to locate and fix an error in operational software; • Portability: the effort required to port software from one hardware platform or software environment to another; • Reusability: the extent to which software can be reused in other applications; • Scalability: the extent to which software can accommodate horizontal or vertical growth. • Usability: the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use.

However, one of the principal challenges in defining sustainability as a non-functional requirement is how to demonstrate that the quality factors have been addressed in a quantifiable way.

The discussion of how to define sustainability is not limited to the field of computing [ 24 ]. It is suggested that to understand sustainability, we need to ask which system to sustain, for whom, over which time frame, and at what cost [ 25 ]. The point of departure for defining sustainability is the second law of thermodynamics, which states that the state of entropy of the entire universe, as an isolated system, will always increase over time [ 26 ]. Sverdrup and Svensson [ 27 ] argue that in developing rules and criteria for sustainability, it is important to shape these as a set of principles which are free of value judgments and cultural biases. Becker et. al., [ 6 ] argue the software profession lacks a common ground that articulates its role in sustainability design. To address this they proposed a set of sustainability principles to contribute to the conversation on the role of the software systems in undermining and in enabling a sustainable future for our planet.

A system is often defined as set of interacting or interdependent components forming an integrated whole and relationships with a common purpose [ 32 ]. As per this definition, a system is: • made up of components: parts that make up a system i.e.

subsystems; • components are interrelated: one part of the system depends on its’ one or more other parts; • has a boundary, which clearly defines the internal and external limits of the system; • has a purpose, which is the overall function of the system; operates in an environment, which is external to the system and is influenced by or influences the system; • has interfaces, these are point of contact where a system meets its environment or where subsystems meet each other; • operates under constraints, these are the limits to what a system can accomplish within its environment.

A substantial amount of research has been completed in software systems engineering on software modularity and interaction, which essentially aims to realise complex systems through simpler interacting parts in such a way that the interdependencies between the parts are minimised (so called low coupling principle) and the closely related functions and properties are collected into one part (so called high cohesion principle). Yet, SE is also well familiar with the set of properties which do not fit into any single part of a system, but relate to the system as a whole. Such properties are said to be systemic: for a system to provide for this property, each of its sub-parts must do so. Examples of such properties are response time, security, and, as discussed below, safety, and sustainability.

1) Safety: In safety-related domains, safety is treated not as a property of a single component or of a certain part of a given system, but one that the system has to fulfill as a whole. For instance, hazards are identified and defined over end-to-end functions, and only afterwards are decomposed into software safety goals. Although safety is considered an emergent property, in reality what can be observed externally is the lack of safety, which manifests as a violation of the stated safety objectives.

Since a system cannot be inherently safe, the goal of safety is to guarantee that the probability of an accident is as low as reasonably practical [ 7 ]. Through proper analysis, design and development, one can ensure only that all known risks have been removed with a certain budget and up to a certain acceptable level. To ensure that the development process and design are “proper”, each application domain (e.g., aerospace, medical, or chemical product production) that considers safety a pertinent property, provides a detailed process and product regulation/legislation [ 13 ].

In order to analyze safety issues, each safety engineering process will work within clearly defined system boundaries. These boundaries are defined during requirements engineering by an analysis of the surrounding system context and its resource flows and functions. Studies on safety are normally concerned with the immediate effects of the system (due to its direct functions/properties, also called 1st order effects), and those effects that are enabled due to the system (also called indirect or 2nd order effects) [ 33 ]. The cumulative safety effects that could occur due to prolonged and mass use of the system are rarely considered, barring cases where dangerous materials are involved, or alike.

Safety engineering does consider the environment/context within which a given system has to operate. Indeed, it is not possible to reason fully about safety or the lack of it without knowing certain operational details such as: who is going to use the system (user profile), how the system is going to be used (potential operation), for how long it is going to be used (mission time), what type of training the user has, etc. All this information is elicited and captured during requirements engineering.

2) Sustainability: Sustainability too, is systemic, in that for a system to be sustainable all of its sub-parts need to address sustainability as well. Yet, the scope of the system that concerns sustainability is much harder to define; this is because ultimately every socio-technical system consumes certain natural resources, engages societies, and, inevitably, produces waste. Since one of the sustainability dimension is concerned with the environment, all resource consumption and waste generation is pertinent to the sustainability of the planet as a whole. While the consideration of a planetary scope is clearly not feasible for each software systems engineering project, ignoring it could also lead to a false sense of achievement. For instance, exploring electronic waste, or moving data centers to another country does not improve the sustainability of the phone companies, though their effects may not be felt directly by the communities using them in their services. Thus, to help set the scope of sustainability, one must determine what must be sustained, for whom, for how long, and at what cost? [ 25 ]. Yet, while these questions are helpful for knowing what to address, providing meaningful answers to them is still a challenge.

Similar to safety, sustainability cannot be assured without setting the context. Questions normally asked during requirements engineering, like who will be using the system, in which environment, and what are the cultural/organisational norms within that environment?, are very important for the analysis of social sustainability perspectives; whether or not renewable resources are used and/or non-renewables wasted/polluted, etc.

As noted in Section 2, the concept of sustainability comprises 5 dimensions of the system. Interestingly, though these viewpoints are inherently linked, a system can be sustainable in one (or more) of them, and at the same time be unsustainable in others. The best example for this is the economic dimension: a socio-technical system (such as petroleum extraction companies) can be extremely profitable for its owners and shareholders delivering exceptional economic sustainability yet might cause dreadful environmental effects. Similarly, exceptional technical sustainability of software assets can be achieved at the expense of the economic dimension.

Similar to safety, a system cannot be proven to be sustainable. This is because the changing context of the system will inevitably affect the sustainability of the system itself. For instance, changing technology (like new programming languages or environments) or changing user requirements will degrade the technical sustainability of software assets, as well as (eventually) their economic sustainability (if their maintenance costs too much). Thus, sustainability can only be assessed for the given time and state of the system. Such assessments must be repeated periodically throughout system use, expecting that eventually (in time) the un-sustainability will be observed [ 34 ]. In other words, changes in requirements must also be assessed with respect to sustainability.

Giving a general definition of complexity has proven to be difficult [ 35 ]. In the context of system design, complexity is typically defined in terms of the number of elements that constitute the system and the interaction among them and with the environment. According to [ 36 ], a complex system is a system that fulfills several of these conditions: • A high number of components; • strong interaction among the component; • long operation time; • diversity and variability of the components; • demanding environment; • multiplicity of activities/objectives.

Because of these features, it is common for complex systems to exhibit emergent behaviors, i.e. behaviors that can be observed only once all the components are interconnected and the system is operated in a certain context. This is a consequence of the difficulty of reasoning about the causeeffect chains within systems of these characteristics.

1) Safety: According to Leveson, there are many factors that are increasing the complexity of current safety-critical systems. Many of them are caused by the widespread use of software [ 11 ].

• The fast pace of technological change is increasing the diversity and variability of the system components, while reducing the time for training and realizing both the potential and the risks of these new technologies. • Changing nature of accidents. Safety originated in the field of process engineering, where system hazards are typically derived from well-understood and observable physical laws. In contrast, digital systems introduce new failure modes which are much more unpredictable in nature. Overconfidence in redundancy and misunderstanding of failure models of software-implemented components have been related to recent aerospace accidents [ 11 ]. • New types of hazards have appeared, for instance related to loss or corruption of information, which go beyond the traditional conception of hazard as uncontrolled or undesired release of energy. • Decreasing tolerance for single accidents. As technology becomes more predominant in our daily life, it also becomes possible to potentially harm increasing numbers of people and impact future generations. Nuclear and chemical plants are good examples of very demanding safety-critical systems. • Increasing interactive complexity and high coupling. The potential interactions among the components of a computer system very often cannot be thoroughly understood or anticipated. Sometimes complicated systems need to be built, which actually exceed the human intellectual ability to reason. Sometimes it is the information about the system that is incomplete, for instance due to the use of legacy code or because of partial knowledge of the operational environment. The tight coupling of software components allows disruptions or dysfunctional interactions in one part of the system to impact distant parts of the system, making hazard analysis more complicated. • The new, and more sophisticated, relationships between humans and automation make it more difficult to reason about potential interaction problems, creating new human errors and a new distribution of human errors. Humans are still in charge of most of the decision-making processes, while computers are responsible for the automated implementation of those decisions. Adequate communication and HMI are required in order to ensure system observability and prevent accidents due to a false sense of safety.

Most techniques for safety analysis and safety design help in handling complexity. Hazard analysis and risk analysis are techniques that are used during requirements engineering for identifying the critical system functions, thus allowing the system designer to disregard those functions that are not relevant from a safety perspective. Fault-tree analysis and Failure Mode and Effects Analysis help in identifying the elements of the system that are relevant for a certain hazard, which helps in reducing the design and the verification efforts. The purpose of modeling techniques such as GSN is to provide a way to visualize and analyze the complex relationships between arguments of a safety assurance case.

However, it has been argued that as complexity increases, techniques based on event chains, like the ones mentioned above, may be too simple. A new accident model based on systems thinking (STAMP) has been defined by Leveson [ 5 ]. This new model relies on control theory notions and integrates sociotechnical aspects.

2) Sustainability: As a systemic property, sustainability is inherently complex. Its complexity comes from the need to consider the system and its context from at least five perspectives, as well as its three orders of effect on these perspectives [ 33 ].

As in safety, sustainability requires the cooperation of all elements involved. That means not only hardware and software components, but also the people interacting with that software system and the processes surrounding it.

A parallel can also be drawn with respect to the decomposition of the concern. In requirements engineering, sustainability goals may be defined at different levels of abstraction [ 37 ]. High-level concerns (e.g., contribute to a healthy environment) may be decomposed into lower level goals (e.g., optimize energy consumption) and realized by different design strategies (e.g., by using Energy Star qualified hardware [ 38 ], by defining a process that reduces physical waste, or by writing efficient algorithms).

Furthermore, making sure that all elements fulfill their sustainability goals also requires a clear assignment of responsibilities: from the roles responsible for the software development to the users of that system. Eventually, verifying the achievement of these goals requires traceability of both their decomposition and responsibility assignment.

Finally, as with any complex issue, a number of strategies will have to be combined to achieve both safety and sustainability. Small, isolated efforts towards sustainability can be jeopardized by greater sustainability risks or by safety hazards, when these are not taken into account during the elaboration of the system requirements. For example, writing efficient algorithms might be irrelevant when the system encourages mass consumption of unnecessary good. Yet, there are subtle differences. While, in safety, a small loophole, such as a floating point conversion, can expose the system to great unsafety, in sustainability this is less likely to happen. In other words, failing to provide sustainability will, in general, not manifest as an accident or mishap; especially not immediately. Punctual efforts, such as the recycling of obsolete hardware, contribute to sustainability, but have little leverage when compared to challenging the purpose of the system, for example. Requirements engineers are in a great position to point at potential impact and ask questions that might encourage the stakeholders to consider sustainability.

The goal of certification is, in general, to confirm that the characteristics of some object, person or organization conform to a certain definition, or standard. Certification is typically performed externally, by governmental certification agencies. Software, standards usually define the desirable properties of a software product or, alternatively, of a software development process. Adherence to these standards is mandatory in certain fields, such as transportation, energy or healthcare, because of their high social impact.

1) Safety: Safety is a strongly regulated field, with multiple national and international safety standards applied at different levels. So-called functional safety standards concern the elimination of hazards caused by Electrical, Electronic and Programmable Systems. Some authors have discussed and compared existing functional safety standards at length [ 8 ], [ 39 ].

This large amount of standards and regulations shows that responsibility for safety is shifting from the individual to government. Individuals no longer have the ability (or knowledge) to control the risks around them and are demanding that government assume greater responsibility for controlling technology. The application of these standards generates tension with industrial goals, like short time to market or reduced cost.

Each functional safety standard typically defines its own process for system certification, but according to [ 13 ], they can all assimilated to the five safety assurance principles discussed in Section 2: requirements validity, requirements decomposition, requirements satisfaction, hazardous software behaviour and confidence.

2) Sustainability: Standards and certifications on sustainability play a similar role to standards in safety: adherence to them may be needed to convince customers, authorities and the society of commitment to sustainability.

A number of reasons may drive organizations to seek compliance with sustainability standards. On particular, companies might value a sustainable corporate image, in response to a growing demand by the society for organizations with social and environmental corporate practices [ 40 ].

There are a number of standards related to sustainability. Rodrigues and Penzenstadler (2013) observe that their focus vary from sustainability development [ 41 ], [ 42 ], to sustainability reporting [ 43 ], [ 44 ], to sustainable design [ 45 ], [ 46 ], among others. However, most of them are specific to particular industry sectors [ 47 ] and sustainability dimensions, such as the ISO 14000 for Environmental Management [ 41 ] or the ISO 26000 for Social Responsibility [ 42 ]. The authors also observe that software systems and their supporting infrastructures are often not explicitly accounted for in the life-cycle analysis (LCA) of sustainable projects. Instead, LCA normally uses tangible items in their analysis.

One difference worth pointing out is that safety standards can be powerful requirements engineering tools, as they typically help with stakeholder identification and selection of metrics for the development of safety-critical IT systems, e.g. mean time between failures. However, in sustainability, standards are either: (1) concerned with a business organization and its operations [ 41 ], [ 42 ], or (2) or devoted to reducing the use of hazardous material, ensuring energy efficiency, and reducing waste in electronic products [ 48 ], [ 38 ], [ 49 ]. We are missing standards that support the analysis and design of sustainable IT systems, beyond of the selection of green hardware.

Both safe and sustainable systems share, in a broad sense, a common objective: not to harm the environment. The social perception of risk plays an important role when it comes to decide what can be spent in order to fulfill this goal.

1) Perceptions and Costs of Safety: From a technological perspective, safety design adds on costs, since additional work is required, not only for design and verification of the safety goals elicited during requirements engineering, but also importantly for safety assurance. As stated in the fifth principle (4+1) of Section 2, providing confidence about the definition and verification of safety requirements is needed for safety assurance. The ability to collect this information is a significant difference with respect to other software industry. Businesses would reduce this cost when possible, but since the adherence to standards provides access to markets, it can as well be considered an investment.

Socially, it is acceptable to pay for a safer product; for example, an automobile with additional safety features is normally more expensive than one without them, so consumers are prepared to take on the extra cost that business will pass on to them. In terms of marketing, the reputational (social) damage of unsafe goods is very large, so safety costs are also investment into avoiding these losses.

In the SE community, the professional recognition of safety is very high, and it is intimately related to the notion of software bug. Examples of incidents and accidents caused by software bugs are described in lectures and notebooks, and students become familiar with them. Classical examples from many different domains, like the Path Finder and Ariane 5 from aerospace, the Patriot missile from military, Therac-25 from medicine, or the Toyota throttle problem from automotive are part of graduate education and successfully convey the importance of generating high-quality code for critical applications.

In companies developing safety-critical products, safety awareness is very high, it permeates the whole development process and affects all the people involved. This includes customer service, management, organization and engineering activities and is shared by software providers as well.

2) Perceptions and Costs of Sustainability : Similar to the safety domain, high profile sustainability failure cases have driven regulation and business costs. For instance, practices that caused visible water and soil pollution have been tightly regulated in most countries. In such cases, where the impact of unsustainability is apparent, business has had to accept cost of sustainability maintenance.

However, due to the indirectness and longer time scale taken for manifestation of enabling and systemics effects, much of the cost of unsustainable business conduct remains hidden and so, is unaccounted for. For instance, the cost of deforestation in the Amazon forest, where locals clear the forest to make space for crop fields, is distributed across time and space, arguably resulting in accelerated climate change, but is not immediately observed by the logging communities. Similarly, inequality in access to education or health-care leads to loss of potential contribution from talented but disadvantaged individuals, reducing the prosperity of a nation, but this is not directly observed by each member of that nation and does not disturb those who gain from this inequality.

Nevertheless, in recent years, the true costs of sustainability effects have increasingly been gaining recognition. As a results, consumers have become more willing to accept higher costs and express preferences for sustainable products and services (such as organic food, recycled paper, renewable energy, etc.). The political and government bodies have started to impose longer-term sustainability targets and regulations on waste management and use of natural resources.

Sustainability now features as a prominent topic in the recent research funding calls (e.g. Horizon 2020 Work Programme (2014 – 2015), European Commission FP7 Work Programme (2013) for ICT). Sustainability in the software context is also a fast growing research area. A recent systematic mapping study has shown an increase on the number of publications on sustainability and software engineering: from 82 papers published in the last 25 years, 70 belong to the period of 2010 to 2013 [ 1 ]. One of the main challenges to be addressed for Software Engineering, is to establish a clear cause-effect traceability between software engineering activities/processes and the sustainability effect of the produced software. Such relationship is well exemplified in safety, where connection between safety engineering and accident prevention is clearly demonstrated. Requirements engineering has a prominent role in this challenge, as it shapes the scope and the purpose of the system, and therefore, can have the greatest leverage in supporting sustainability.