Please log in using either your email address or your membership number.
Please register with your name, email address, password and email preferences. You will be sent an email to verify the address.
Please enter the email address used for your account. A temporary password will be emailed to you.
The SCSC publishes a range of documents:
The club publishes its newsletter Safety Systems three times a year in February, June and October. The newsletter is distributed to paid-up members and can be made available in electronic form for inclusion on corporate members' intranet sites.
The proceedings of the annual symposium, held each February since 1993, are published in book form. Since 2013 copies can be purchased from Amazon.
The club publishes the Safety-critical Systems eJournal (ISSN 2754-1118) containing high-quality, peer-reviewed articles on the subject of systems safety.
If you are interested in being an author or a reviewer please see the Call for Papers.
All publications are available to download free by current SCSC members (please log in first), recent books are available as 'print on demand' from Amazon at reasonable cost.
The proceedings from SSS'13 are available to buy in the traditional book form from Amazon or if you only want one or two papers you can buy a PDF download directly from the web site (free to members).
You can also watch the presentations on the IET.tv channel.
Use the links below to select your preferred viewing / reading option.
Contents
Allan Bain
Defence Safety and Environment Authority, Ministry of Defence
Bristol, UK
Abstract This is a review of safety certification and approval process within UK defence systems and forms part of a set of papers describing certification regimes across a number of industries for the Safety-critical Systems Symposium 2013. Since the range of transportation and infrastructure used within the defence sector draws from all other environmental domains combined, the safety regimes of each UK defence system reflects the civil domains they are drawn from. For this reason, the paper describes the system safety regime within UK warships, including their software-intensive systems.
Ron Bell
Engineering Safety Consultants Ltd
London, UK
Abstract This paper focuses on the safety assurance measures within international standard IEC 61508, 'Functional safety of electrical, electronic and programmable electronic safety-related systems'. IEC 61508, and other sector and product standards developed from it, have had a major impact on the application of electrical, electronic and programmable electronic safety-related systems. In particular, the paper examines the safety assurance measures that are part of the compliance requirements within IEC 61508. The paper provides an overview of the key features of IEC 61508 which are relevant to effective assurance as well as covering the explicit assurance measures such as functional safety assessment, functional safety audit, verification and validation. The paper also covers various models for certification that have developed in relation to IEC 61508.
Dewi Daniels
Verocel Limited
Trowbridge, UK
Abstract This paper describes how system safety is addressed in the design of civil airliners, particularly of software-intensive avionics systems. This paper is intended to be one of a set of papers that describe how certification is carried out in a number of industries.
Roger Rivett
Jaguar Land Rover
Gaydon, UK
Abstract This paper describes the different approaches that countries use to regulate the sale of passenger cars in their domestic markets. It also describes some of the other pressures on manufacturers and suppliers to produce products that do not cause injury. This paper is intended to be one of a set of papers that describe how certification is carried out in a number of industries.
Peter Sheppard
Bombardier Transportation RCS
Reading, UK
Abstract In this paper I intend to share with you the evolution of the railway acceptance process (mainly in the UK, but there will be forays into other coun-tries), and the changes in processes, methods and techniques that have had to be made by suppliers as a result of this evolution leading up to where the UK acceptance process is in the current day.
John Thomas and Nancy Leveson
Complex Systems Research Laboratory, MIT
Cambridge, MA USA
Abstract Systems Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to go beyond traditional safety techniques - such as Fault Tree Analysis (FTA) - that overlook important causes of accidents like flawed requirements, dysfunctional component interactions, and software errors. While proving to be very effective on real systems, no formal structure has been defined for STPA and its application has been ad hoc with no rigorous procedures or model-based design tools. This paper defines a formal mathematical structure underlying STPA that can be used to rigorously identify potentially hazardous control actions in a system. A method for using these unsafe control actions to generate formal safety-critical, model-based system and software requirements is presented based on the underlying formal structure, as well as a way to detect conflicts between safety and other functional requirements during early development of the system.
Stephen Thomas1 and Derek Fowler2
1Entity Systems Ltd, Cheltenham, UK
2JDF Consultancy LLP, Chichester, UK
Abstract The Airborne Collision Avoidance System (ACAS) has been in use worldwide for many years as a 'last resort' means of preventing aircraft mid-air collision. Although its efficacy was predicted via extensive simulation studies, measurement of actual collision risk reduction in the airspace is impractical. Furthermore, ACAS had not been subjected to contemporary safety assessment practices. Upon its mandated deployment in European airspace, ACAS therefore presented a unique opportunity to apply state-of-the-art thinking on air traffic management safety cases (the so-called 'success and failure' approach) to a mature operational system. The paper describes the background to the safety case, the safety assessment process that underpinned it by synthesising hitherto missing evidence, and some of the safety issues it has revealed.
Linling Sun and Tim Kelly
University of York
York, UK
Abstract Unlike argumentation in safety cases, evidence (also an important component), has received less attention in the literature. In this paper, we compare the concept of evidence in different disciplines and analyze the characteristics of evidence in the safety domain. A model of evidence is proposed for a better understanding of evidence and its evaluation. Evidence assertions, the minimal assertions that are drawn out of the source data of evidence, are explained with the model. The model will provide clarity to the interface between evidence and argument that is useful for confidence establishment in safety cases.
Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee
Computer and Information Science Department, University of Pennsylvania
Philadelphia, PA, USA
Abstract Safety cases offer a means for communicating information about the system safety among the system stakeholders. Recently, the requirement for a safety case has been considered by regulators for safety-critical systems. Adopting safety cases is necessarily dependent on the value added for regulatory authorities. In this work, we outline a structured approach for assessing the level of sufficiency of safety arguments. We use the notion of basic probability assignment to provide a measure of sufficiency and insufficiency for each argument node. We use the concept of belief combination to calculate the overall sufficiency and insufficiency of a safety argument based on the sufficiency and insufficiency of its nodes. The application of the proposed approach is illustrated by examples
Alejandra Ruiz1, Huáscar Espinoza1, Fulvio Tagliablò2, Sandra Torchiaro2 and Alberto Melzi2
1TECNALIA Research and Innovation, Zamudio, Spain
2Centro Ricerche FIAT, Turin, Italy
Abstract Modern engineering and business practices in the automotive domain use massive subcontracting of SW/HW components and subsystems. We present a preliminary research towards applying a quantitative, compositional safety assurance approach based on the ISO 26262 concept of SEooC (Safety Element out of Context). In this approach a component must be evaluated against 'assumed' operational context conditions in a quantitative manner (based on compatibility/gap analysis), instead of using inspections. Once the component becomes part of a specific system in an actual operational context, the evaluation is optimised by comparing assumed context conditions against actual context conditions. We propose a classification to organize information about assumptions and guarantees and outline a procedure to systematically manage their specification, validation and gap analysis.
Jonathan Storey
INVENSYS Rail Systems Ltd
Chippenham, UK
Abstract The re-signalling of the Victoria line and introduction of distance-to-go automatic train operation was a major London Underground (LU) project completed in time for the 2012 Olympics. The development and re-signalling was carried out by Invensys Rail Limited (IRL) in collaboration with the train builder (Bombardier) and LU, and was unique in both its design and implementation. The upgrade aims were to deliver a complete re-signalling replacement whilst minimising service disruption. This was achieved via a staged overlay system which was implemented as a hybrid signalling system, controlling both existing and new rolling stock simultaneously. This provided considerable assurance challenges in both managing the system hazards and system approvals. This paper focuses on the management of the staged project delivery whist tracking and maintaining a robust safety argument.
Nick Sibley1, Chris Elliott2 and Bill Walby1
1BAE Systems, Newcastle, UK
2Pitchill Consulting Ltd, Cranleigh, UK
Abstract In 2010 BAE Systems conducted a review of the management of product safety across all its sectors. The review examined many issues associated with the safety of the company's products and consulted widely with its businesses around the world. The outcome of the review was a set of four principles:
The principles were tested by examining how six other sectors (automotive, civil aviation, construction, health, offshore, and rail) address their equivalent challenge. This paper explains the four principles and provides detail of the associated research and findings.
John Allan and James Carr
Military Aviation Authority
Bristol, UK
Abstract The Military Aviation Authority was formed in April 2010 in response to a review into the loss of Nimrod XV230 in September 2006. It was tasked with the rewriting of the defence aviation regulations and to reassess the defence air environment's approach to risk management. Two years on a new suite of aviation regulations have been published and defence aviation Risk-to-Life is now clearly owned by those responsible for the people at risk.
Yoshiki Kinoshita and Makoto Takeyama
National Institute of Advanced Industrial Science and Technology (AIST)
Amagasaki, Japan
Abstract A framework is given to formulate an assurance case as a pair of a formal theory (vocabulary and basic assumptions; a formal model) and a proof in it, thus objectifying ontological presumptions separately from reasoning based on it. Our formulation is given in Agda, a programming and proof description language based on constructive type theory. Emphasis on explicit presumptions improves upon currently prevailing structured-argument notations such as GSN and CAE. Changes and vagueness in modern complex systems must be reflected by rebuttals to their assurance cases. We sketch our approach to formulate rebuttals to that end, where objectification of ontological presumptions works effectively.
John Colley and Michael Butler
Electronics and Computer Science, University of Southampton
Southampton, UK
Abstract System-Theoretic Process Analysis (STPA) from Leveson is a technique for hazard analysis developed to identify more thoroughly the causal factors in complex safety-critical systems, including software design errors. Event-B is a proof-based modelling language and method that enables the development of specifications using a formal notion of refinement. We propose an approach to hazard analysis where system requirements are captured as monitored, controlled, mode and commanded phenomena and STPA is applied to the controlled phenomena to identify systematically the safety constraints. These are then represented formally in an Event-B specification which is amenable to formal refinement and proof.
Robert Dewar
New York University and AdaCore
New York, USA
Abstract Traditionally, e.g. when using DO-178B, we have relied on structured and formalized testing to assure safety, but the limitations of testing are well known. On the other hand, it is not feasible to use proof techniques for an entire application. That's partly a limitation of our proving capabilities, but partly fundamental. For instance we can't easily prove that the specification itself is correct or that the hardware operates as expected. So we will always be stuck with some testing. This paper discusses how testing and proof are used in practice, and considers the issue of how to combine tests and proofs in a single application.
Chris Hobbs and Akramul Azim
QNX Software Systems
Ottawa, Canada
Abstract Designing a system with safety requirements means balancing the system's safety, security and functionality (usefulness) requirements so that, while the system is adequately safe and secure, it is also useful. This paper draws on the authors' practical experience designing such systems to explore the relationships between these antagonistic requirements, and presents a simple example illustrating their implications for safe and useful system design.
Paul Chinneck and Gavin Wilsher
Altran Praxis
Bath, UK
Abstract As military systems become increasingly complex, so does the requirement to argue acceptable levels of safety. Many long-established design standards favour mitigating safety risk by design, and view mitigation by procedure of lesser value. However, recent experience has shown that this 'design everything in' philosophy can remove flexibility - some military users regularly mitigate risk through a combination of procedure and design, and are generally happy to accept more risk to gain the flexibility that this brings.
A natural tension therefore exists between the 'classical' approach of designing in safety, and an alternative approach that adjusts the design/procedural split to gain operational flexibility.
Gabriele Schedl, Lukas Fritz
Frequentis AG
Vienna, Austria
Abstract A system is typically defined as a combination of people, procedures and equipment, but many safety analyses focus just on the equipment part. Even safety standards, e.g. IEC 61508, hardly cover human factors. One reason could be that most of the common safety tools can only be applied to hardware, some of them also to software, but they often neglect the human factors. Successful system safety cannot be addressed without this important contributor. The human factors engineering discipline needs to become an integrated part of system safety analyses. This paper will address some practical examples of the non-fulfilment of this requirement with the consequences and will also discuss some practical improvements of the current situation.
Keith Jones
Atkins Defence
Bristol, UK
Abstract In recent years the Ministry of Defence (MOD) has suffered a number of accidents during its operations which have resulted in fatalities. The most recent was the loss of Nimrod XV230 and its crew in 2006 during operations in theatre in Afghanistan. The accident prompted an investigation culminating in a report by Charles Haddon Cave QC (Haddon-Cave 2009). The report highlights a number of failings in safety management one of which is key, ‘a process driven and document heavy safety culture’. The report recommended a number of improvements to cultivate a strong safety culture, the importance of which the MOD has recognised and the organisation has begun implementing major changes to its organisational structure.
This paper analyses safety culture, reviewing and breaking down the definitions of safety culture to create a model in which it can be measured. Safety culture relates to an organisation’s perception of safety, through the attitudes, beliefs, and understanding of the people within an organisation. Therefore the paper focuses on the human element of a safety management system, developing and using the model to identify competence as a critical component in safety culture.
To provide a means of measuring competence, a questionnaire study has been developed using practice and guidance from the HSE and IET. The questionnaire is designed to identify specific human factors which have influenced the results.