This paper provides a general overview of the subsea architecture for safe system shutdowns as currently defined in today’s generic subsea systems application requirements. Subsequently, this paper identifies emerging requirements and associated characteristic complexities in the design and use of the key features of emerging subsea shutdown systems. This paper critically examines the objectives and benefits of the shift towards the selective high integrity controlled or commanded shut-down patterns. Using two similar projects with comparable application parameters for safe shutdown, we submit a platform that can be used when differentiating between the pre-requisites and solutions for subsea control systems; now and in the future.

Modern advances in technology and highly coordinated safety systems have successfully reduced the frequency of major accidents in the marine industry. Has this decrease in frequency come at a cost? The myth of an “unsinkable” ship went down with the Titanic and yet accidents resulting in loss of life still occur. On occasion the control measures put in place to mitigate against disaster are not sufficient due to reliance on human factors or technology which may not be available after the accident. This paper discusses the issues caused by the focus on pre-accident mitigation and scenarios deemed too implausible by hazard identification techniques.

Development of future railway systems requires a rigorous modelling of safety and capacity conducted in an integrated way. Supported by EPSRC and Rail Safety and Standards Board the SafeCap project laid the foundations for overcoming challenges to railway capacity without undermining rail network safety. The main outcome of the project is the SafeCap Toolset, which relies on a formal Domain Specific Language, safety verification and capacity simulation methodologies. The work was conducted in close cooperation with Siemens Rail Automation and evaluated using the layouts of a number of UK stations. The Toolset is being further actively developed and evaluated in a series of industrial and impact acceleration projects.

The increasing complexity of modern aircraft systems presents many challenges to the current process for aircraft safety assessment and certification. Automated features and equipment are becoming so complex that potential dysfunctional interactions and requirements flaws are much more difficult to recognize and prevent than in the past. We believe that the current process for assessing safety and certifying aircraft described in ARP 4761 is limited in its effectiveness for modern complex and software intensive systems and that a better approach is needed. This paper describes the ARP 4761 methodology and then a new accident causality model and associated hazard analysis technique is introduced and applied to the Wheel and Brake System example used in ARP 4761. We conclude with a comparison of the two approaches.

Over the past decade evidence-based software engineering (EBSE) has emerged to offer an adaptation of the methods of evidence based medicine for the needs of software engineering. Whilst potentially complementary to established practices, evidence to date of successful translation of the approach from the academic environment to industrial practice is scarce. With an emphasis on structured arguments, rigorous analysis and bodies of evidence software safety is one engineering sub-discipline apparently well placed to benefit from adopting the approach. This paper as sesses whether EBSE has or can, in practice, make a contribution to engineering safer software.

Formal methods are a means for verification and validation with the main advantage that a system property can be verified for the overall system (in-cluding all possible system states). The drawbacks of formal methods are the additional effort for the formalisation of the requirements and for building a model of the system, and, the limitations due to computational restrictions (handling the state-space explosion). ISO 26262 “Road Vehicles - Functional Safety” is a standard for the assessment of the development process for safety-relevant com-ponents in the automotive domain. The standard addresses formal methods for the specification of safety requirements and for the product development at software level. Formal methods for the hardware development or at system level are (by now) not explicitly foreseen by the standard. In this work we will give an overview on the basic principles and the state-of-the-art of formal methods (in detail, model checking). Then we will present different approaches for the application of formal methods at system level including some preliminary evaluation results for an in-dustrial use case. Based on these experiences we will discuss the applicability of formal methods in the context of ISO 26262 (i.e., for automotive components) in view of the limitations of formal techniques for applications in the automotive domain.

The paper considers how we should set about designing safety-related systems (as defined in standards such as IEC 61508) to be safe. Using two transportation examples, it considers the degree and extent to which adherence to industry-specific process standards (the ‘magic’ approach of the title) would lead us to a complete, safe solution; deducing that this approach would lead to an incomplete solution, the paper shows how we need to rationalize what we mean by safety in the particular context, before determining a more holistic and ‘logical’ approach to developing a functionally safe design.

Guidance for developers of assurance arguments has generally focussed on issues concerning content, logical flow and structure. The use of natural language to express an argument can lead to problems with understanding the nature of the claims, with scope and with potentially obscure logical inferences. These problems can occur even if natural language is combined with the use of graphical notations to communicate the structure of an argument. In a supply chain, these problems are compounded by the involvement of numerous suppliers, each with his own “idiolect”, which makes it difficult to integrate assurance data for components into the system argument, to evaluate it as evidence or to reuse it across projects. In this paper, we present work to develop controlled language and structured expressions to improve communication within and across domains and to provide some automated validation of assurance arguments.

It is contended that safety-arguments can be improved by being made “systematically self-reflecting” (SSR). A safety argument should systematically address its own quality at each point in its argumentation. This can be done by addressing specific questions at each argument node, without changing the struc-ture of the argument. The approach has been applied to software safety-cases expressed using the Goal Structuring Notation (GSN), and lessons are drawn from this industrial experience. A comparison is made between SSR-arguments and Kelly's criteria for assessing assurance-cases, the 4+1 principles for software safety-cases and the confidence-arguments of Hawkins et al.

Security concerns that arise in safety-critical domains, such as air-traffic control and energy system management, might be analyzed using rigorous security cases. Such analysis has been explored minimally. We present a case study of the application of rigorous security arguments to a novel approach to thwarting command-injection attacks based on transformation of the binary form of a program (no source code). The case study illustrates an approach to security argument structure, the construction process for the argument, and organizes and reveals the defensive capabilities of the technique and its limitations thereby demonstrating the power of security argument.

For about two decades, compliance with Software Considerations in Airborne Systems and Equipment Certification (DO–178B/ED–12B) has been the primary means for receiving regulatory approval for using software on commer-cial airplanes. A new edition of the standard, DO–178C/ED–12C, was published in December 2011, and recognized by regulatory bodies in 2013. The purpose remains unchanged: to provide guidance ‘for the production of software for air-borne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirements.’ The text of the guidance does not directly explain how its collection of objectives contributes to achieving this purpose; thus, the assurance case for the document is implicit. This paper presents an explicit assurance case developed as part of research jointly sponsored by the Federal Aviation Administration and the National Aeronautics and Space Administration.

In this paper we argue that the methods and techniques specified in the annexes in IEC 61508-3 are just sound software engineering principles. Problems when developing safety critical software are not caused by lack of adherence to the standard per se but by ignorance of sound engineering principles related to the specified techniques. Further we argue that IEC 61508-3 should be more flexible regarding the safety lifecycle requirements by mentioning the use of modern software development practices together with the V-model.

In July 2014, a commercial transport aircraft, Malaysia Airlines Flight 17, in cruise flight over Ukraine, had its flight abruptly terminated through “impacts from a large number of high-energy objects from outside the aircraft”, The suspicion is that it was shot down. Three other commercial aircraft on international flights were in the same control sector at the time; other airlines had chosen to avoid the area. I argue that the kind of risk analysis one must perform to assess such possible security threats cannot be of the IEC 61508 type. I propose Meta-Game Theoretic Analysis, MGTA.

This paper is a personal reflection on the capacity of human beings to tolerate risk. My thoughts were triggered and enriched by an Atlantic crossing under sail aboard the yacht Northern Child. Among the wild men and women of ocean yacht racing, I was forced to reassess my engineering attitudes. In eighteen days at sea I reflected on the factors that determine risk tolerance in a particular enterprise and why tolerance varies so markedly across human endeavours. It occurred to me that the main driver of risk tolerance is emotional rather than technical, a state of affairs that engineers are ill-equipped to manage. This led me to research human decision-making processes and the power of metaphor not only in learning and persuasion but also in synthesising safer systems. Too much happened on this voyage to tell here. Instead I present the set of vignettes that informed my personal belief that engineering knowledge must be broadened to include human behavioural modelling and the synthesis of metaphor. And most important of all, our scope of works must go deeper. In particular, the functional safety discipline must be more than a broad-brush administrative framework. Its tropes must be imprinted on the minds of all the people doing the work.

The ever increasing demand to improve efficiency, raise production rates and reduce costs, whilst maintaining or improving quality, is driving the need for the automation of many manufacturing processes. Traditionally speaking, the default control measure for the risk management of automation in manufacturing has been the use of physical guards. Robot cell installations with physical guards can be difficult to deploy on some manufacturing assembly line. Given that these physical safeguarding measures separate the human operator from the moving robot, the work performed by robots is effectively detached from that performed by human operators. This can be a limitation on some flow lines where the human tasks cannot be completely separated from those of the robot. From a safety perspective, physical guards do not completely mitigate against the risk of injury due to a human trespassing the guarded area with the locks and interlocks engaged, or deliberately limiting their effectiveness through local process modifications.
Aerospace manufacturing processes typically involve a complex mixture of high and low skilled tasks, and therefore are a prime example of a system that cannot be completely automated. Hence, it is proposed that a collaborative human/robot work cell would allow the lesser skilled manufacturing tasks to be allocated to a robot while the human operator carries out the more skilled tasks. This would in effect result in the design of a semi-automated flexible assembly line where the human and the robot work alongside each other and collaborate with each other within a pre-defined, shared and safeguarded workspace. Work has been undertaken at Cranfield University to investigate the potential for using a collaborative robotic system in aerospace manufacturing. The aim of this research is to offer an example of a truly collaborative, inherently safe, robot work cell that integrates readily available robotic systems with affordable, off-the-shelf, safety-rated electro-sensitive protective equipment.

Deterministic requirements are often used to express criteria for system properties such as system safety. However, the evidence presented to meet these requirements or targets is often uncertain, embodying both a lack of detail and inherent variability. Consequently it is difficult to establish definitively that these requirements have been satisfied. This paper presents a Bayesian approach that provides a framework for consideration of the ‘epistemic’ uncertainty (lack of knowledge) together with the ‘aleatory’ uncertainty (random variability) in system and component estimates. The ‘classical’ statistical approach is presented for some common scenarios each followed by the tool-assisted Bayesian inference approach. Finally, an example is presented of the uncertainties in the individual steps of an accident sequence that accumulate to the uncertainty in the likelihood of the accident itself. The main finding is that the use of a Bayesian inference tool such as OpenBUGS (Lunn et al. 2009) based on Markov Chain Monte Carlo (MCMC) techniques (Gelfand and Smith 1990) enables the burden of the computation to be lifted so that the engineer can then concentrate on the interpretation of the uncertainty in relation to the requirement.

The difficulty in explaining observations of Saturn’s motion in the context of the geocentric model was a crucial stepping-stone that eventually led Copernicus to propose the heliocentric model. This paper analyses approaches for building safer control systems related to this analogy: detecting mismatches between a controller’s view of the environment and its actual state can greatly prevent accidents. We survey existing work on the topic and look for ways of systematically comparing, assessing, and devising effective monitoring solutions, from the detection of a simple component failure to the circumvention of flaws in the system requirements specification.

The contribution software and hardware can make to hazardous failures has long been understood and well covered by standards and guidance. We suggest the role of data in influencing the safe operation of systems is equally important but this has not attracted the same level of attention; there is no standardisation and little guidance on how the risks associated with data should be managed. The issue is becoming more acute as many types of data are now used to deploy, configure, operate, test and justify safety systems; the volume of data in systems is also growing at an unprecedented rate, along with the attendant risks – this is the “Data Elephant”, the 'elephant in the room' that can no longer be ignored. This paper presents progress the SCSC Data Safety Initiative Working Group (DSIWG) has made over the last year towards establishing guidance on how the risks associated with data can be appropriately identified and managed.

Swarm-based systems, i.e. systems comprising multiple simple, autonomous and interacting components, have become increasingly important. With their decentralised architecture, their ability to self-organise and to exhibit complex emergent behaviour, good scalability and support for inherent fault tolerance due to a high level of redundancy, they offer characteristics which are particularly interesting for the construction of safety-critical systems. At the same time, swarms are notoriously difficult to engineer, to understand and to control. Emergent phenomena are, by definition, irreducible to the properties of the constituents which severely constrains predictability. Especially in safety-critical areas, however, a clear understanding of the future dynamics of the system is indispensable. In this paper we show how agent-based simulation in combination with statistical verification can help to understand and quantify the likelihood of emergent swarm behaviours on different observational levels. We illustrate the idea with a simple case study from the area of swarm robotics.

The drive to realise new hydrocarbon assets deeper into the Arctic Circle, would require the development of an improved environmentally-centric technology as surance and acceptance criteria. These criteria demand that all installed systems are of high integrity. The high consequence of failure on the Arctic Circle environment demands that all systems are to be installed to safety standards as a minimum, for all aspects of the petroleum infrastructure. Offshore Oil and Gas duty holders will claim, and be required to demonstrate that the 'Environmental Integrity Level' (EIL) has been achieved in order to demonstrate conformance to the stringent Arctic Circle legislation.

Engineers of safety-critical systems have a duty to address ethical issues that may arise in the development, assessment, operation and maintenance of these systems. Dealing with ethical dilemmas during safety risk assessment is particularly challenging, especially when making and justifying decisions concerning risk acceptability. This is complicated by organisational issues and contractual limits that do not necessarily align with the boundaries of ethical responsibility. In this paper, we explore some of these dilemmas and discuss the duties of engineers to identify, analyse and respond effectively to ethical concerns about safety risk decisions. We illustrate these through short case studies that highlight particular issues relating to the ethics of safety advice, safety and cost tradeoffs, novel technologies and institutional support.

A good safety culture is widely characterised as communications founded on mutual trust, shared perceptions about the importance of safety, and confidence in harm prevention and protection measures. It provides any organisation both safety and financial benefits. Safety Culture first appears in literature in the mid-1960s but did not take hold as concept until the mid-1980s and different models have been developed to assess the Safety Culture of an organisation over the past 30 years. Many of these safety culture models measure a snap shot of characteristics but do not address the aspects of organisational change. Organisational models have been developed since the early 1960s, normally with the aim to model and understand the organisation’s performance and potential effects of change. I have conducted research on combining both organisational models and safety culture models over the past few years, leading to a list of factors/characteristics that could aid development of a combined Organisational and Safety Culture Model. In turn, this improved understanding could help organisations predict the effect of enforcing a particular change and detecting any weaknesses in the organisation structure. In addition, a combined model would aid risk management techniques such as Cost Benefit Analysis and in general, the overall process of measuring the health and safety performance of the organisation.

BAE Systems has a broad portfolio of products and undertakes a wide spectrum of activities to remove potential hazards and mitigate the risk of harm to people, property and the environment. The company’s approach to managing safety performance is informed by the recognition that, in continually evolving complex environments, it is essential to remain alert to potential issues and continuously review current practice. The academic literature provided key lessons from industry and research relevant to the continuous improvement of safety management. Namely, the influence of ‘organisational factors’ upon safety performance, the importance of combining control measures with an engaged safety culture to minimise risks, and the need to recognise that the safety culture of an organisation may differ across distinct aspects of safety (such as product safety and workplace safety).This paper discusses these lessons and their implications for managing safety performance and assessing safety culture. It then outlines the rationale behind the decision to develop a bespoke assessment in partnership with Greenstreet Berman (UK-based safety consultants), and the development of a framework to assess both product safety and workplace culture across the company. Underpinning the development of this prototype assessment is a greater understanding of the cultural factors that are common to both workplace and product safety and how these can support a holistic approach to assessing the impact of culture on different aspects of safety.