@article(Dowell1998, author = {{Arthur M. Dowell III}}, year = {1998}, title = {Layer of protection analysis for determining safety integrity level}, journal = {ISA Transactions}, volume = {37}, number = {3}, pages = {155 -- 165}, doi = {10.1016/S0019-0578(98)00018-4}, ) @inproceedings(DBLP:conf/safecomp/BackstromBHKK16, author = {Ola B{\"{a}}ckstr{\"{o}}m and Yuliya Butkova and Holger Hermanns and Jan Krc{\'{a}}l and Pavel Krc{\'{a}}l}, year = {2016}, title = {Effective Static and Dynamic Fault Tree Analysis}, editor = {Skavhaug}, pages = {266--280}, doi = {10.1007/978-3-319-45477-1\_21}, ) @book(Baier2008, author = {Christel Baier and Joost-Pieter Katoen}, year = {2008}, title = {Principles of Model Checking}, publisher = {MIT Press}, ) @book(Broy2001, author = {Manfred Broy and St{\o}len, Ketil}, year = {2001}, title = {Specification and Development of Interactive Systems: \textsc{Focus} on Streams, Interfaces, and Refinement}, publisher = {Springer}, address = {Berlin}, doi = {10.1007/978-1-4613-0091-5}, ) @incollection(Cook2017, author = {Stephen~P. Cook}, year = {2017}, title = {An ASTM Standard for Bounding Behavior of Adaptive Algorithms for Unmanned Aircraft Operations (Invited)}, series = {AIAA SciTech Forum}, publisher = {American Institute of Aeronautics and Astronautics}, doi = {10.2514/6.2017-0881}, ) @inproceedings(Dwyer1999, author = {Matthew~B. Dwyer and G.~S. Avrunin and J.~C. Corbett}, year = {1999}, title = {Patterns in property specifications for finite-state verification}, booktitle = {ICSE}, pages = {411--20}, doi = {10.1109/icse.1999.841031}, ) @inproceedings(Eastwood2013, author = {R.~Eastwood and T.P. Kelly and R.D. Alexander and E.~Landre}, year = {2013}, title = {Towards a safety case for runtime risk and uncertainty management in safety-critical systems}, booktitle = {System Safety Conference incorporating the Cyber Security Conference 2013, 8th IET International}, pages = {1--6}, doi = {10.1049/cp.2013.1713}, ) @book(Ericson2015, author = {Clifton~A. Ericson}, year = {2015}, title = {Hazard Analysis Techniques for System Safety}, edition = {2nd}, publisher = {Wiley}, ) @phdthesis(Gleirscher2014a, author = {Mario Gleirscher}, year = {2014}, title = {Behavioral Safety of Technical Systems}, type = {Dissertation}, school = {Technische Universit{\"a}t M{\"u}nchen}, doi = {10.13140/2.1.3122.7688}, ) @inproceedings(Gleirscher2017b, author = {Mario Gleirscher and Stefan Kugele}, year = {2017}, title = {Defining Risk States in Autonomous Road Vehicles}, booktitle = {High Assurance Systems Engineering (HASE), 18th Int. Symp.}, pages = {112--115}, doi = {10.1109/hase.2017.14}, ) @inproceedings(Gleirscher2017-NFM, author = {Mario Gleirscher and Stefan Kugele}, year = {2017}, title = {From Hazard Analysis to Hazard Mitigation Planning: The Automated Driving Case}, editor = {C.~Barrett et~al.}, booktitle = {{NASA} Formal Methods ({NFM}) -- 9th Int. Symp., Proceedings}, series = {LNCS}, volume = {10227}, publisher = {Springer, Berlin/New York}, pages = {310--326}, doi = {10.1007/978-3-319-57288-8\_23}, ) @article(Guiochet2017, author = {Jeremie Guiochet and Mathilde Machin and Helene Waeselynck}, year = {2017}, title = {Safety-critical Advanced Robots: A Survey}, journal = {Robots and Autonomous Systems}, doi = {10.1016/j.robot.2017.04.004}, ) @book(Hoare1985, author = {Charles A.~R. Hoare}, year = {1985}, title = {Communicating Sequential Processes}, edition = {1st}, series = {Int. Series in Comp. Sci.}, publisher = {Prentice-Hall}, ) @inproceedings(Koopman2016, author = {Phil Koopman and Michael Wagner}, year = {2016}, title = {Challenges in Autonomous Vehicle Testing and Validation}, booktitle = {SAE World Congress}, doi = {10.4271/2016-01-0128}, ) @article(Koymans1990, author = {Ron Koymans}, year = {1990}, title = {Specifying real-time properties with metric temporal logic}, journal = {Real-Time Syst.}, volume = {2}, number = {4}, pages = {255--99}, doi = {10.1007/bf01995674}, ) @inproceedings(DBLP:conf/hase/KumarS17, author = {Rajesh Kumar and Mari{\"{e}}lle Stoelinga}, year = {2017}, title = {Quantitative Security and Safety Analysis with Attack-Fault Trees}, booktitle = {18th {IEEE} International Symposium on High Assurance Systems Engineering, {HASE} 2017, Singapore, January 12-14, 2017}, publisher = {{IEEE}}, pages = {25--32}, doi = {10.1109/HASE.2017.12}, ) @article(DBLP:journals/tse/Lamport77, author = {Leslie Lamport}, year = {1977}, title = {Proving the Correctness of Multiprocess Programs}, journal = {{IEEE} Trans. Software Eng.}, volume = {3}, number = {2}, pages = {125--43}, doi = {10.1109/TSE.1977.229904}, ) @book(Leveson2012, author = {Nancy~Gail Leveson}, year = {2012}, title = {Engineering a Safer World: Systems Thinking Applied to Safety}, series = {Engineering Systems}, publisher = {MIT Press}, ) @book(LundSolhaugStoelen2011, author = {Mass~Soldal Lund and Bj{\o}rnar Solhaug and St{\o}len, Ketil}, year = {2011}, title = {Model-Driven Risk Analysis: The {CORAS} Approach}, edition = {1st}, publisher = {Springer}, doi = {10.1007/978-3-642-12323-8}, ) @book(Lunze2010, author = {Jan Lunze}, year = {2010}, title = {Regelungstechnik 1: Systemtheoretische Grundlagen, Analyse und Entwurf einschleifiger Regelungen}, edition = {8th}, series = {Lehrbuch}, publisher = {Springer}, doi = {10.1007/978-3-642-13808-9}, ) @article(Machin2016, author = {Mathilde Machin and J\'{e}r\'{e}mie Guiochet and H\'{e}l\`{e}ne Waeselynck and Jean-Paul Blanquart and Matthieu Roy and Lola Masson}, year = {2016}, title = {{SMOF} -- A {S}afety {MO}nitoring {F}ramework for Autonomous Systems}, volume = {99}, pages = {1--14}, doi = {10.1109/tsmc.2016.2633291}, ) @book(Manna1991, author = {Zohar Manna and Amir Pnueli}, year = {1991}, title = {The Temporal Logic of Reactive and Concurrent Systems: Specification}, edition = {1st}, publisher = {Springer}, ) @book(Manna1995, author = {Zohar Manna and Amir Pnueli}, year = {1995}, title = {Temporal Verification of Reactive Systems: Safety}, edition = {1st}, publisher = {Springer}, doi = {10.1007/978-1-4612-4222-2}, ) @book(Milner1995, author = {Robin Milner}, year = {1995}, title = {Communication and Concurrency}, series = {International Series in Computer Science}, publisher = {Prentice Hall}, ) @article(Mitsch2016, author = {Stefan Mitsch and Andr\'{e} Platzer}, year = {2016}, title = {ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models}, doi = {10.1007/978-3-319-11164-3\_17}, ) @techreport(Nielsen1971, author = {D.S. Nielsen}, year = {1971}, title = {The cause/consequence diagram method as basis for quantitative accident analysis}, type = {Technical Report}, number = {RISO-M-1374}, institution = {Danish Atomic Energy Commission}, ) @techreport(ORADC2016, author = {{On-Road Automated Driving Committee}}, year = {2016}, title = {Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles}, type = {Technical Report}, number = {SAE J 3016}, institution = {SAE International}, doi = {10.4271/j3016_201609}, ) @inproceedings(Preschern2013c, author = {Christopher Preschern and Nermin Kajtazovic and Christian Kreiner}, year = {2013}, title = {Building a safety architecture pattern system}, editor = {Uwe van Heesch and Christian Kohls}, booktitle = {Proceedings of the 18th European Conference on Pattern Languages of Programs (EuroPLoP), Irsee, Germany, July 10-14, 2013}, publisher = {{ACM}}, pages = {17}, doi = {10.1145/2739011.2739028}, ) @inbook(Roehm2016, author = {Hendrik Roehm and Jens Oehlerking and Thomas Heinz and Matthias Althoff}, year = {2016}, title = {STL Model Checking of Continuous and Hybrid Systems}, pages = {412--27}, publisher = {Springer}, doi = {10.1007/978-3-319-46520-3\_26}, ) @proceedings(DBLP:conf/safecomp/2016, editor = {Amund Skavhaug and J{\'{e}}r{\'{e}}mie Guiochet and Friedemann Bitsch}, year = {2016}, title = {Computer Safety, Reliability, and Security - 35th International Conference, {SAFECOMP} 2016, Trondheim, Norway, September 21-23, 2016, Proceedings}, series = {Lecture Notes in Computer Science}, volume = {9922}, publisher = {Springer}, doi = {10.1007/978-3-319-45477-1}, ) @article(Svedung2002, author = {I.~Svedung and J.~Rasmussen}, year = {2002}, title = {Graphic representation of accident scenarios: Mapping system structure and the causation of accidents}, journal = {Safety Science}, volume = {40}, number = {5}, pages = {397--417}, doi = {10.1016/s0925-7535(00)00036-9}, ) @techreport(TSC2017, author = {{Transport Systems Catapult}}, year = {2017}, title = {Taxonomy of Scenarios for Automated Driving}, type = {Technical Report}, institution = {Transport Systems Catapult}, ) @inproceedings(DBLP:conf/fortest/Tretmans08, author = {Jan Tretmans}, year = {2008}, title = {Model Based Testing with Labelled Transition Systems}, booktitle = {Formal Methods and Testing}, pages = {1--38}, doi = {10.1007/978-3-540-78917-8\_1}, ) @techreport(USDOT2016, author = {{U.S. Department of Transportation}}, year = {2016}, title = {Federal Automated Vehicles Policy}, type = {Technical Report}, institution = {U.S. Department of Transportation}, ) @inproceedings(DBLP:conf/safecomp/0001JK16, author = {Matthias Volk and Sebastian Junges and Joost{-}Pieter Katoen}, year = {2016}, title = {Advancing Dynamic Fault Tree Analysis - Get Succinct State Spaces Fast and Synthesise Failure Rates}, editor = {Skavhaug}, pages = {253--265}, doi = {10.1007/978-3-319-45477-1\_20}, )