25 Years of Safety Systems and of the Safety-Critical Systems ClubBy Felix Redmill
This issue of Safety Systems, the 75th, marks the Club's 25th birthday. Simultaneously, it trumpets the end of an era: the 'old guard' is stepping aside and making way for changes to the Club's home and its management. It celebrates 25 years of life and effort and wishes well to what is to come. But what is to come? This Editorial offers an outline of the Club's next step after taking a cursory look back at where we came from and what we have touched on in our journey to the present.
A Potted History
The Safety-Critical Systems Club held its first public meeting - a seminar - in Manchester on 11th July 1991. 256 delegates attended.
At that time, practitioners who knew themselves to inhabit the safety field possessed a terrific hunger for information on safety technology and practice, and many came seeking not only knowledge but, importantly, guidance on where to seek it.
Of course, there were many others who were not yet aware that they inhabited the safety domain, and a part of our remit was to find and inform them.
Through the 1980s, computers, which were rapidly and persistently decreasing in both size and cost, were finding their way into all industrial fields, and their application in what became known as 'safetycritical systems' attracted the attention of astute engineers. A study, sponsored by the Department of Trade and Industry (DTI) and carried out by members of the Institution of Electrical Engineers (IEE, now the Institution of Engineering and Technology (IET)) and the British Computer Society (BCS), identified numerous problems that arose from this application of software and made many recommendations to the government and both industry and academe. The study report, published in 1989, had the effect of revealing to the research establishment that there was wide scope for investigation into the field.
Following this report, the DTI, together with the Science and Engineering Research Council (SERC), invited applications for research projects, with the proviso that all had to be collaborative, with participants from both industry and academe. With about 30 projects and approximately £30 million invested, it was clear that an organisation was required to facilitate the propagation of project results, and a contract to set up and run a 'community club' was awarded to the BCS and the IEE jointly though, contractually, to the BCS. These brought in the Centre for Software Reliability at Newcastle University to manage the club and me (Felix Redmill) to do the technical work - organising events, editing a newsletter, doing marketing, carrying out liaison with other bodies, and more.
The Club's objectives were defined as being to raise awareness of safety matters and its technologies, and to facilitate the transfer of information, technology, and current and emerging practices and standards. All sectors of the safety-critical community, and both technical and managerial levels within them, would be involved. It was hoped to facilitate communication among researchers, the transfer of technology from researchers to industry and feedback from users, and the communication of experience between users. The benefits were intended to be better directed research, a more rapid and effective transfer and use of technology, aid in the identification of best practice, and the definition of requirements for education and training.
Communication between users was seen as being particularly important. Feedback on a technology from a single user to a researcher is valuable, but rapid exchange of experience between users can not only shorten learning curves but also minimise the use of unsuccessful technologies. Further, and importantly, although there were known to be many failures of softwarebased systems in safety-related companies, it was also known that they were often concealed rather than revealed and discussed. Involvement of the developing HSE (Health and Safety Executive) was one solution to this, but another was a club atmosphere in which community members could discuss their problems as well as their successes. Attending Club events was intended to put industrialists in touch with each other. And it was hoped that they would also be encouraged to give talks on their experiences and write articles for the Club's newsletter.
The Club formally came into being on 1st May 1991. Its first seminar was held at Manchester University in July and the first issue of Safety Systems was published in September. At that time, and for many years after, Club operations were managed and run by three of us: Tom Anderson, at Newcastle University, who had overall responsibility and was the Club's comptroller, Joan Atkinson, his secretary, who conducted all administrative and logistic tasks, and me.
The DTI and SERC provided funding, on a reducing scale, for three years, with a hoped for objective of subsequent continuation. As, by the end of that time, the Club had been successful, both in attracting members and achieving its goals, it was continued, on a shoestring, and it continues still, 25 years later. Tom and Joan held their positions through all that time. After 17 years as the technical all-rounder, which included the planning and organisation of more than 70 events, including 16 annual Symposiums, I resigned from organisational and liaison work but continued to edit Safety Systems. Chris Dale became the Event Co-ordinator and, after six Symposiums, handed over in 2014 to Mike Parsons, who is still in place.
After funding ceased, our management board became an advisory Steering Group, chaired by Bob Malcolm, whom I thank for huge support. He was succeeded by Brian Jepson, who also built and maintains the Club's web site and, latterly, by the incumbent, Graham Jolliffe.
Development of Thinking
The 1980s decade was a period of change in the safety world. Not only was there rapid replacement of electromechanical control systems by software-based digital equipment, but there was also a major change in thinking about risk. Hitherto, safety protection had mostly been based on physical barriers, together with rules of operation and behaviour, along with un-evidenced assurances to the public of safety. But Sir Frank Layfield, in conducting his inquiry into the Sizewell B nuclear power station, pushed the Health and Safety Executive (HSE) to explain their riskbased engineering judgements to the public (and to industry and, indeed, to themselves) and this led to the HSE's 1988 document, The Tolerability of the Risks from Nuclear Power Stations, which defined what became known as the ALARP (As Low as Reasonably Practicable) Principle. The Layfield Inquiry also led to requirements to justify claims for the tolerability of risks and to cease the practice of simply claiming that a risk was remote or an accident was incredible. Implicit in this was the admission that zero risk could not be achieved and that uncertainty was necessarily implicit in the creation and use of safety-critical systems.
Thus, when the Club came into existence, there was a need to facilitate the transfer not only of proven risk assessment techniques, but, importantly, the ways of thinking about risk and its tolerability that were new even to those in the traditional safety domains, such as chemical and nuclear.
Other changes were also afoot. New approaches were being pioneered, and these would be introduced by the publication of the standard IEC 61508. This was eagerly anticipated and the Club played a key role in establishing its understanding, through seminars, tutorials, symposium papers, and informal discussions.
There had also been increasing realisation of human influence on both safety and its opposite. One of the early Club seminars was on human factors and, in spite of floods that stopped traffic in many parts of the country, this attracted a crowd of over 100.
From its earliest days, the Club ran events, and sought symposium papers, on topics that had not yet made their way into widespread knowledge, or even thinking - topics such as safety management and safety culture, the increasing dependence of safety on security, the use of COTS (commercial off-the-shelf) systems and components in safety, the safety case, testing for safety, the safety lifecycle, safety integrity levels, legal and social aspects of safety, safety standards, new technologies, and more. As well as topic-specific events, the Club ran many that were sector-specific.
The Club and Its Newsletter
To meet its objectives, the Club was charged to run at least four events per year, including the annual Safety-critical Systems Symposium (SSS) with published Proceedings, and to publish three issues per year of a newsletter. One- and twoday events have mostly been seminars, but the Club has also run tutorials, many on topics that were not yet provided for in training anywhere else.
In the early years, the Club was the principal organ of communication of the progress and results of the DTI/SERCsponsored research projects and, at the inaugural meeting, eighteen of these were exhibited at a poster session, which proved to be one of the highlights of the occasion.
Among other initiatives, the Club created liaisons with other bodies, importantly the IET, BCS and HSE.
Safety Systems has been published every September, January and May, and this issue, the 75th, completes 25 years of publication. In that time it has given the community news items, book reviews, press releases, a regular calendar of international events, and 438 articles. I am proud that many of these were written by authoritative authors. But I am perhaps even more proud that Safety Systems has enticed many others to take courage and express themselves. This newsletter has been a forum for members and others to raise questions, utter apprehensions, and report on experiences, as well as to tell us what they think is what. And this issue is an example. It offers articles on risk, the core of our profession; articles on education, in the key subjects of both safety and software engineering, which have not yet been seriously planned to fit our needs; articles on human factors, on our history, on current practice, and on glances into our future.
We therefore have reason to believe that the Club has contributed to the progress, over the last quarter century, in the field of safety technology, practice, and management. Our 126 events, the knowledge, and even wisdom, accumulated in 24 volumes of SSS, and a further 22 papers in a 1993 book, all suggest a worthwhile achievement, and regular feedback confirms that many others share this view. And that is why we have been strenuously determined to ensure the Club's continuation.
And now, change is inevitable. Professor Tom Anderson and Joan Atkinson are both on the point of 'passing on the baton'. And I have decided that perhaps it is the right time for me to join them in admiring, instead of creating, the results of the Club's endeavours.
It has been agreed that the Club will move to the University of York and be under the management of Professor Tim Kelly.
York's research and MSc programmes have furthered the education of numerous practitioners and brought many others into the field. It also started, and for a long time maintained, the email system-safety list, which now functions under Peter Ladkin's stewardship at the University of Bielefeld. I offer Tim my very best wishes as he adds the Club to York's portfolio.
May the Safety-Critical Systems Club continue to meet its objectives and remain useful to the safety community for another 25 years - and, perhaps, yet another.
SCSC 06-03-2018 [V4e]