The SCSC publishes a range of documents:
The club publishes its newsletter Safety Systems three times a year in February, June and October. The newsletter is distributed to paid-up members and can be made available in electronic form for inclusion on corporate members' intranet sites.
The proceedings of the annual symposium, held each February since 1993, are published in book form. Since 2013 copies can be purchased from Amazon.
The club publishes the Safety-critical Systems eJournal (ISSN 2754-1118) containing high-quality, peer-reviewed articles on the subject of systems safety.
If you are interested in being an author or a reviewer please see the Call for Papers.
All publications are available to download free by current SCSC members (please log in first), recent books are available as 'print on demand' from Amazon at reasonable cost.
Our world has changed dramatically over the last two years with the Covid-19 pandemic, and life may only slowly be returning to normal. However, our 30th symposium brought some new opportunities, new thinking and also new delegates. The symposium had a special flavour, celebrating the club’s successes over the years and giving a taste of what the next 30 years in safety engineering might be like.
This paper takes the (perhaps unusual) view that consumerism has helped to drive improvements in safety over the years. However, the successes in terms of the availability of (safe) goods and services, e.g. cars and cheap air transport, present contradictions (or ironies) in terms of the subsequent impact on the environment which ultimately has a deleterious effect on safety and well-being. These contradictions suggest the need to re-frame safety engineering. The paper proposes an approach based on the notion of well-being and discusses how counterfactuals might play a role in analysing and communicating about safety concerns.
Agile methods appear to offer a more dynamic way to drive a project forwards. So, can we derive RAMS requirements in a more efficient manner when working within an agile systems development environment? Recent experience has provided some interesting insights into whether improvements can be realised and how we might capitalise on the more iterative nature of an agile systems development environment. This paper explores recent experiences in the early stages of rail development projects (EN50126 phases 3-5). Applying both a Scrum methodology and a Kanban approach provided two slightly different perspectives from which to learn. This paper looks at the benefits and pitfalls of deriving RAMS requirements within an agile systems development framework. Lessons have been learned around systems modelling, use case development and specialist discipline integration and this paper presents a series of recommenda-tions based on those lessons.
Open Adaptive Complex Systems – such as road vehicle platoons or fleets of cooperative robots – may use dynamic reconfiguration to adapt to system or environment changes. One approach enabling this feature is Service-oriented Reconfiguration, where new configurations are created by composing the available services in an unconstrained manner. Due to the high number of possible service compositions, not all configurations can be pre-assured at design-time. Despite recent progress, there is no satisfactory approach for specifying safety cases in support of their re-evaluation at run-time, after system reconfiguration. To this end, in previous work, we introduced Dynamic Modular Safety Cases (DMSC). A DMSC is a modular safety case, which can be dynamically re-constructed and re-assessed given service reconfiguration. In continuation of the previous work, in this paper we provide guidelines for specifying safety cases at design-time, whose modular structure mirrors the system service decomposition, to enable their re-construction and re-evaluation at run-time in the event of a system reconfiguration. Aiming to support the specification of DMSC, we extend FASTEN, an engineering tool for the design and verification of safety-critical systems. We exemplify the specification of DMSCs in FASTEN for an illustrative example from the smart factory domain.
The use of stories and narrative is widespread throughout safety engineering, from "war stories" to use cases. In this paper we consider the effectiveness of stories in modelling safety-critical systems and challenges. We present a discussion of how aspects of a story such as characterisation, narrative arc and setting can affect the extent to which it adequately illuminates a software engineering problem.
The transition to electrified propulsion systems (EPS) within the au-tomotive sector is maturing, many manufacturers have Battery Electric Vehicles (BEV) within their product offering. The hazards associated with EPS technology, which comprises of a Rechargeable Electrical Energy Storage System (REESS), charging systems, electric drive systems, thermal management systems, DC/DC converter, and supervisory control systems, are well understood and technical safety concepts are in series production. The aviation industry is now in an intense research and development phase for new energy propulsion systems, including electrification. This paper explores the potential to safely expedite the transition to ‘electrified’ aviation through reapplication of automotive EPS technology, or whether EPS technology may be viably developed for use in both automotive and aviation domains. A REESS case study is utilised, comparisons between technical and process orientated safety regulations and standards are made, and technical solutions are developed utilising an exemplar ‘automotive-aviation’ process model. The study shows that, while some unique new work products will be required, automotive technology may be utilised within aviation, subject to review and revision to ensure compliance with aviation regulations. The study also identifies opportunities to enhance the development process through sharing of best practice between the automotive and aviation domains.
In September 2020, the European Commission published a set of twenty recommendations (Bonnefon et al., 2020) composed by an expert group (of which the author was a member) on the ethical development and deployment of connected and automated vehicles (CAVs). The report includes twenty recommendations addressing the ethics of connected and automated vehicles, covering dilemma situations, the creation of a culture of responsibility, and the promotion of data, algorithm and AI literacy through public participation. Some of the topics covered are road safety, privacy, fairness, explainability and responsibility.
The maritime industry has been transformed by the introduc-tion of new technologies pertinent to the ‘Industry 4.0’ revolution and moves to-wards the introduction of the Maritime Autonomous Surface Ships (MASS).
A practical stepwise methodology is outlined based on the SCSC Service Assurance Guidance V2. This is explained using a real example of a highways service (based on a motorway in the UK, the M3); it also includes the services provided by vehicles and drivers when using the motorway. The contracts and agreements are indicated where available, the services identified and then the levels of service assurance flowed down, together with safety requirements. Wrappers (supplementary assurance needs) are identified and elaborated. The advantages of the service assurance approach are then discussed for this very real example and compared to more traditional systems approaches.
Many people died in flooding in Germany and in Belgium in the week of 2021-07-12 to 2021-07-18. The rainfall was foreseen, and warnings generated by the European Flood Awareness System. I relate the events and the environment in detail, consider the sociotechnical systems in place to deal with them, and possible improvements to mitigate the consequences of a repeat rainfall event.
In 2020, KeolisAmey Docklands (KAD) – franchise operator of the Docklands Light Railway (DLR) in London – commenced work on a pioneering safety programme called ‘Next Platform’. In what is thought to be a first for the UK rail industry, KAD are seeking to radically change the way they learn from adverse events and everyday work. Core to this transformation is the introduction of a ‘restorative just culture’, and a new safety investigation methodology called the ‘Learning Review’. This new approach is as much about changing philosophy as it is about changing process. In a Learning Review, in which a restorative just culture process is embedded, the decisions and actions of staff involved in adverse events are reviewed in a neutral and curious manner to understand why they made sense to the person at the time. All inquiries are approached from a presumption of good intention, staff are treated with support and care, and as long as no intentional wrongdoing is identified, everyone’s focus – leaders, managers and frontline staff – is on learning and improving. This talk will explore how KAD developed the Next Platform programme, why they decided to take the approach, and how it has benefitted the DLR operation so far.
Command and Control (C2) systems form an integral part of military defence in supporting operational military decision-making. C2 systems are complex socio-technical systems made up of physical hardware, software, data, Operators, Maintainers, processes and the workplace. One of the complexities is multiple Operators performing different roles simultaneously, under high workload, making rapid decisions to work towards a common goal. This paper out-lines an ongoing project to replace an existing C2 system. A Human Reliability Assessment (HRA) is being conducted with an approach which incorporates a more holistic assessment of the human contribution within ‘the system’. Identifying not only opportunities to identify and mitigate potential human error by influencing design but also looking at the wider interactions within the system and identification of emergent properties which may result from more complex interactions within the system.
The thirty years that has passed since the first SCSC Symposium coincides with the author’s career in safety – starting as a student at Loughborough University studying Transport Management and Planning. Back then, the UK transport sector was still reeling from major disasters – the Herald of Free Enterprise at Zeebrugge; British Midland at Kegworth; and the Clapham Junction and Purley rail accidents. On one level, such events galvanised resolve to prevent such events from recurring, but on the other, there was also a level of risk acceptance that thankfully is no longer the case. For the aviation industry, the concern was that unless there was a radical change of approach, then, based projected traffic growth, the equivalent of one widebody aircraft would be lost each week by the end of the millennium.
A “cowboy builder” is someone who, operating beyond their level of competence who builds unsatisfactory, often unsafe, structures. This paper explores “cowboy digital” — the cowboy attitude that pervades digital leadership, management, development, and engineering. This article offers constructive suggestions, but until the cowboy digital culture is addressed effectively “safety-critical systems” will remain aspirational.
An analysis of accident reports from the air-traffic control, aviation, highways, and maritime sectors suggests areas where introduction of autonomous functionality could have materially affected the outcome. The effect of replacing or augmenting the human operator in the causal chain of the accident is considered and changes to the outcome are suggested. The functionality and assurance of the autonomous functions are considered as are the interactions with operators. Common themes are extracted from the accident studies and are used to draw conclusions about the potential benefits from introduction of autonomous functionality.
The use of DevOps methodologies is now common throughout the technology world, driving a cultural change in the development of software. DevSecOps takes this one-step further, embedding the security measures required in today’s hyper-connected world. The adoption of DevSecOps in defence will pose significant challenges to the way that we currently build and deliver software; this will be particularly challenging in the safety-critical domains, such as aviation. In this paper we introduce the principles and technologies proposed in the DevSecOps software development pipeline. An examination into how the US DoD are deploying DevSecOps to maintain operational superiority is given. Two challenges are identified for the UK: providing assurance for safety-critical systems through the DevSecOps pipeline and making the cultural changes necessary to adopt and adapt from the tried and tested methods to this new approach. Finally, we highlight the path that adoption of DevSecOps introduces, identifying the capabilities and further technologies that will naturally be incorporated into this cultural and technological shift for safety-critical software development.
The increasing complexity of modern interlocking poses a major challenge to ensuring railway safety. This calls for application of formal methods for assurance and verification of their safety. We have developed an industry-strength toolset, called SafeCap, for formal verification of interlockings. Our aim was to overcome the main barriers in deploying formal methods in industry. The approach proposed verifies interlocking data developed by signalling engineers in the ways they are designed by industry. It ensures fully automated verification of safety properties using the state-of-the-art techniques (automated theorem provers and solvers) and provides diagnostics in terms of the notations used by engineers. In the last two years SafeCap has been successfully used to verify 26 real-world mainline interlockings, developed by different suppliers and design offices. SafeCap is currently used in an advisory capacity, supplementing manual checking and testing processes by providing an additional level of verification and enabling earlier identification of errors. We are now developing a safety case to support its use as an alternative to some of these activities.
Creating a multi-core platform for safety-critical avionics is the next major step for most avionics manufactures. While multi-core processors are commonly used in most other markets, the avionics industry has taken years to trust multi-core technologies. Acceptance has been slow due to an avionics system’s stringent safety and deterministic requirements. As a result, years of study have been invested by certification authorities and industry suppliers to identify the issues multi-core processors pose for safety-critical systems. Formalized positions of these efforts are the FAA CAST-32A Positioning Paper, and EASA’s multi-core Certification Review Item (CRI). The crux of these papers (regarding software) focuses on bounding and controlling the interference patterns that exists when processor cores share resources. This paper highlights the challenges of implementing multi-core processors for avionics developers. It will present Deos SafeMCTM and show how it helps address CAST-32A objectives by utilizing unique operating system features designed for minimizing and bounding contention issues within multi-core environments. Features such as cache partitioning, memory pooling and safe scheduling enable the user to configure the memory architecture to minimize cache thrashing and schedule applications across all cores. Further, most of these Deos features are processor agnostic which allows system developers to pick more current and best suited processor technologies. Together, these capabilities enable developers to employ modern systems that orchestrate software applications such that conflicts over shared resources are minimized and the overall performance advantages of multicore processors can best be utilized.
A modern railway is a highly electrotechnical system with connectivity and networks inherent in its design. For High Speed 2 this means a design which is based on a confluence of difference wired and wireless networks. These networks support the delivery of safety critical, safety related, operation critical and wider business functions. This talk explains how HS2 is assessing its safety and cyber risks in an efficient manner, leveraging products and assessments from the application of the Common Safety Method on Risk Assessment to support cyber assessments based around IEC 62443 risk methodology and associated controls.
On 14 June 2020, all three primary flight control computers on an Airbus A330 shut down while it was landing at Taipei, Taiwan. The aircraft came to a stop only ten metres from the end of the runway. The cause was a problem well-known in computer science called the Byzantine Generals Problem, which was first described by Leslie Lamport in 1982. He presented a solution to the Byzantine Generals Problem, along with a mathematical proof of the correctness of that solution. This paper describes what happened on 14 June 2020 and how Leslie Lamport’s solution would have avoided the incident.