Seminar: Safety Cases: Past, Present and Future

  Event description   Programme    


Safety Cases: Past, Present and Future

Thursday 29 June, 2023 - London Marriott Hotel, Marble Arch

This seminar looked at the origins of safety and assurance cases, where they are today and where they are heading. There was a range of speakers covering different aspects, approaches and sectors.

Safety cases have evolved over the years: from their origins in historical accidents, through the development of better structuring and argument notations such as GSN, to where we are today where assurance cases often integrate other key system attributes such as security. The future promises more powerful notations, dynamic updating and approaches for large-scale and complex systems.

This event is relevant to anyone who produces, review or approve safety or assurance cases.

Speakers are:

  • Robin Bloomfield, Adelard - "Recent progress with Assurance 2.0 and automating safety cases"
  • Richard Hawkins, University of York - "Improving Safety Case Practice with GSN"
  • Nikita Johnson, Rolls-Royce - "Arguing Security (and Finding the Gaps in our Safety)"
  • Tim Kelly, University of York - "A Brief History of GSN"
  • Davy Pissoort, KU Leuven - "Managing Risks due to Electromagnetic Disturbance: Unleashing the Power of the Assurance Cases and the Goal Structuring Notation"
  • Thor Myklebust, SINTEF - "Future challenges and opportunities when using a safety case approach"
  • Adrian Stavert-Dobson, Safehand Consulting - "Safety Cases in Health IT – A Decade On"

This event was held in-person in at the London Marriott Hotel Marble Arch, 134 George St, London, W1H 5DN.

Talk abstracts and speaker bios are below:

Robin Bloomfield, Adelard - "Recent progress with Assurance 2.0 and automating safety cases"

Abstract: In this talk I will present our work from on ongoing DARPA project that is exploring the automation of assurance cases. I will outline the reasons or “cases” reaching back to the 1980s.  I discuss the need to innovate in both methodology and tool technology if we are to successfully automate and then present a principled approach to automation and how Assurance 2.0 supports this. I will illustrate the synthesis approach and research tools we are developing as well as the experiments in using LLM to translate from natural language to a logic language. I will end with some speculation and questions about the future.

Bio: Robin E Bloomfield is a founder of the specialist safety and security consultancy Adelard, now part of NCC Group. He is also a full Professor at City, University of London. His work in safety and security in the past 35 years has combined policy formulation, technical consulting and underpinning research.  He is a major contributor to the development of the assurance and safety case approach and the use of claims, arguments and evidence (CAE) and the extension of this work to security and critical infrastructures.  He is currently developing Assurance 2.0 with John Rushby of SRI and leading Adelard’s work on the automation of certification a assurance of AI/ML systems. He was elected a Fellow of the Royal Academy of Engineering in 2014 in recognition of his international leadership in the engineering of safety-critical systems.


Richard Hawkins, University of York - "Improving Safety Case Practice with GSN"

Abstract: There have been many criticisms from some quarters of the safety case approach, and advocates of safety cases have reacted to these criticisms in an attempt to rebut them. Many of the rebuttals that can be made take the form of “but that is not how safety cases should be used”. This motivates a need, and perhaps even a responsibility, for advocates of the use of safety cases to help to ensure safety cases are used correctly such that their benefits can truly be realised. Proposals have been put forward on how safety case notations may be enhanced in an attempt to improve safety case practices. In this talk I will seek to explain how GSN, as currently specified, provides the tools necessary to address the criticisms of current safety case practices, and discuss how these tools can be used effectively.

Bio: Richard Hawkins is Senior Research Fellow for the Lloyd's Register Foundation's Assuring Autonomy International Programme at the University of York.  His research is focussed on safety assurance and assurance cases for autonomous systems. He has been working with safety related systems for 20 years both in academia and in industry. Richard has been a lecturer in safety critical systems engineering at the University of York and has worked for BAE Systems as a software safety engineer.

Nikita Johnson, Rolls-Royce - "Arguing Security (and Finding the Gaps in our Safety)"

Abstract: Safety and Security have many similarities and shared patterns of reasoning such as risk averseness, being a system-level emergent property, and needing more than just technical controls to manage. This often leads practitioners and engineers into some common traps in their security cases and co-assurance cases – Danger lies here! In this talk you will get an overview of a typical security case structure, including the claims used, inferences made and evidence provided. One key difference between safety and security cases is their management throughout the life of a system, particularly in the context of uncertainty introduced by vulnerabilities. The theoretical basis of Arguing Security will be supported by practical examples from the industry research project HICLASS, and the SCSC Security-Informed Safety Working Group.

Bio: Nikita Johnson is a Product Cyber Security Engineer at Rolls-Royce, leading several projects related to Security for Airworthiness, and Product ISMS (Information Security Management Systems). She has worked to develop conceptual frameworks for arguing safety and security in robotics and autonomous systems at the University of York and the University of Sheffield. Nikita gained expertise in the area of Safety-Security Assurance through her Doctoral research at York with BAE Systems, and has continued to develop and apply that knowledge through participation in industry research and working groups such as Eurocae WG-72, SCSC SISWG, Innovate UK HICLASS, and the NCSC ICS Group.

Tim Kelly, University of York - "A Brief History of GSN"

Abstract: The Goal Structuring Notation (GSN) is now over 30 years old.  Historically, safety cases heavily relied on narrative text, leading to challenges such as poor structure and limited clarity. The University of York's High Integrity Systems Engineering research group aimed to improve safety case development by introducing goal structures to represent safety arguments. Initially combining principles from argumentation and goal-based requirements engineering, GSN emerged as a powerful graphical notation, offering a clear and structured framework for presenting safety arguments . This talk will chart the development of GSN and its extensions (for example to express argument patterns, modular safety cases, and confidence argument) over the last 30 years and reflect upon the factors that have led to its widespread adoption across many industries, including aerospace, defense, healthcare, and transportation.  Finally, the talk will explore some of the potential future opportunities in assurance case argumentation.

Bio: Revd Dr Tim Kelly is Priest in Charge of the Benefice of Walkington, Bishop Burton, Rowley and Skidby in the East Riding of Yorkshire. Tim worked for over 30 years in the domain of safety-critical computer systems. In 2019 left his job as a Professor of High Integrity Systems at the University of York to become a vicar in the Church of England.  In his academic work he is perhaps best known for his work on system and software safety case development, particularly his work on refining and extending the Goal Structuring Notation (GSN). His research included safety case management, software safety analysis and justification, software architecture safety, certification of adaptive and learning systems, and the dependability of “Systems of Systems”. He supervised many research projects in these areas with funding and support from Airbus, BAE SYSTEMS, Data Systems and Solutions, DTI, EPSRC, ERA Technology, Ministry of Defence, QinetiQ and Rolls-Royce. He has published over 150 papers on high integrity systems development and justification in international journals and conferences.

Thor Myklebust, SINTEF - "Future challenges and opportunities when using a safety case approach"

Abstract: The presentation is based on interviews with seventeen companies – all engaged in building safety cases for commercial products. Topics included are explainable AI, compliance with safety standards, and relevant standards for Autonomous Systems. Issues such as safety case maintenance and the role of reuse when developing a safety case are also presented.

Bio: Thor is a Senior researcher in System Safety at SINTEF Digital. His experience is in assessment and certification of products and systems since 1987. Has worked for the National Metrology Service, Aker Maritime, Nemko, and SINTEF. He has participated in several international committees since 1988. His a member of safety (NEK/IEC 65), the IEC 61508 maintenance committee “generic functional safety”, ISO/IEC TR 5469 “Artificial intelligence — Functional safety and AI systems” stakeholder UL4600 autonomous products and railway (NEK/CENELEC/TC 9). 
He is co-author of three books (The Agile Safety Case, SafeScrum and Proof of Compliance) and published more than 250 papers and reports 


Davy Pissoort, KU Leuven - "Managing Risks due to Electromagnetic Disturbances: Unleashing the Power of the Assurance Cases and the Goal Structuring Notation"



Abstract: This talk introduces an innovative approach to mitigate risks caused by electromagnetic disturbances in medical devices. By combining assurance cases and the Goal Structuring Notation, this talk presents several assurance case patterns for managing risks related to electromagnetic disturbances. The proposed EMC assurance case comprises risk, confidence, and compliance sub-cases, thereby providing compelling arguments showcasing effective EMC risk management and EM-resilient design. The inter-relationships among these sub-cases further justify the guarantee of device safety, essential performance, and intended use amidst electromagnetic disturbances.

Bio: Davy received the PhD degree in electrical engineering from Ghent University, Belgium in 2005. After that he work as an R&D Engineer at Agilent Technologies (nowadays Keysight Technologies) in Ghent, Belgium. Since 2009, he is an associate professor at KU Leuven Bruges Campus, where is the head of the Mechatronics Group. His current research interests include EMI Risk Management, characterization of shielding effectiveness as well as safety assurance of interconnected autonomous systems. At the moment he is a board member of the IEEE EMC Society.


Adrian Stavert-Dobson, Safehand Consulting - "Safety Cases in Health IT – A Decade On"



Abstract: In 2012 the NHS made Safety Cases a requirement for Health IT software manufacturers and the organisations implementing them. A vehicle which had previously been the remit of Safety Engineers was now in the hands of surgeons, psychiatrists and GPs. Whilst enforcement and uptake was painfully slow for many years, the recent explosion of advanced Health IT systems has substantially driven awareness and levels of compliance. In this presentation we’ll explore the successes and challenges of using Safety Cases to evidence the safe manufacture and implementation of health software.

Bio: Adrian Stavert-Dobson is qualified doctor and the CEO of Safehand Consulting Limited, the UK’s largest provider of DCB 0129/0160 compliance services. Adrian has presided over the development of over 800 Safety Cases for Health IT systems and his team currently act as the Clinical Safety Officer for over 140 organisations. Adrian is the author of Health IT Systems: Managing Clinical Risk.




SCSC.UK uses anonymous session cookies please see Privacy policy

© SCSC 2024