Safety standards provide great value, but despite their benefits, standards and the culture that goes with them have a variety of weaknesses. In this paper, I review these various weaknesses and propose a new approach that defines a technical structure for standards based on desired properties of conformant artifacts, a development and maintenance process designed to ensure technical quality, and a funding model designed to make standards both freely available and revenue generators for their developers.

This paper gives a perspective on the suite of documents that has replaced DO-178B. It covers the rationale behind DO-178C, why it was needed and what publications have been produced as a result of the six years of effort in WG-71 and SC-205. It also highlights the follow on activity in the Forum on Aeronautical Software.

When Def Stan-00-55 (MOD 1997) was declared obsolete on 29 April 2005, there was an expectation that Def Stan 00-56 would provide guidance on how to develop and procure safety related software. That has proved elusive despite a number of attempts to provide the MOD with material that would assist its suppliers of safety related software. However, Def Stan 00-55 continued to be one of the most frequently downloaded defence standards and coupled with the MOD’s need for clarity and consistency when procuring safety related software, it has been decided to re-issue the standard. This paper provides an insight into the rationale and main drivers behind its re-introduction and focuses on the principles and strategic intent of the standard compared with its predecessor.

Until quite recently, all the work towards being able to achieve EMC compliance with functional safety standards, for IET guidance and IEC standardization, assumed that it would be the responsibility of EMC engineering personnel. They would have needed to develop the necessary skills and expertise to achieve levels of EMC design confidence that were at least an order of magnitude (e.g. for SIL1) higher than is currently achieved. This has not proved to be practical for several reasons, so instead the IET has now developed guidelines that only need practitioners of EMC engineering and functional safety hardware/software design (and its independent assessment) to develop their existing skills and expertise by a reasonable amount to achieve EMC for functional safety for any SIL.

It is increasingly clear that data, not just systems and software, can be a safety problem and the SCSC has recently promoted efforts to look at the issue of data in safety systems. This started with a seminar ‘How to stop data causing harm’ held in December 2012 and has progressed with 6-weekly meetings of a working group during 2013. The group, comprising industry, academic, government and independent consultants is producing a guidance document, entitled ‘Guidance for management of data where safety is an issue: managing the risks of dataware in safety-related and safety-critical systems’. The objective of the guidance is to describe the safety data problem, and initially, for key data types and lifecycles, provide methods for defining the level of risk and recommended strategies for safety risk reduction. This paper presents the progress in developing this guidance, and provides an outline of the next phase of this work, which will include production of supplementary material for incorporation into existing safety standards.

With the increase in commercial off-the-shelf components being used to produce complex systems the safety engineer is presented with a variety of standards on which to base a cohesive safety case. Low volume suppliers also do not have the leverage with suppliers to produce high integrity versions of components and sub-systems. Compressed timescales do not allow for reverse engineering to allocate an integrity level. This paper discusses a risk management process based around accident sequencing. This uses event trees as a framework on which to place controls or mitigations conforming to a variety of standards.

Recent years have seen changes in the way that companies in a number of industries have responded to a changing market environment where the demand for intelligent service contracts and the requirements of corporate social responsibility continue to rise. Central to these changes is a modified approach to the theme of increasing services provision. Reductions in the delivery of new products and the extensions to life of existing products has forced companies to reconsider their existing product portfolios and how they can generate new business from the maintenance, through life upgrade and support of the products they previously supplied. BAE Systems like others in the defence arena has done this and in doing so has considered what changes it has had to make, and continues to make, to the way in which it now looks at and ensures the safety and performance integrity of its products in all aspects of its operations.
 
This paper draws together the journey that BAE Systems has been (and continues to be) travelling down as it moves to delivery of a more service oriented portfolio of products, and the research that Cambridge University has been pursuing to better understand how accountabilities are managed for service through-life (Fuse, 2013). It should be recognized that this paper represents initial thoughts and analysis on Through Life Accountability and recognizes the need to pursue further research and analysis before the Company has a more fully informed understanding of how it can best use this information to improve its service provision.

The new functional safety standard for the automotive industry, ISO 26262, emphasises the need for through-life monitoring of system safety for systems and products containing electronic and electrical systems. The information management challenge that this presents for the automotive industry and OEMs in particular, requires a step-change in the way that design and development activi-ties are structured and managed. This paper examines the strategic implications of ISO 26262 for the automotive sector and sets out guidance on the practices and business models that companies should develop to succeed in this new environ-ment. The automotive industry is facing a critical phase and how companies choose to manage their information will be integral to their survival beyond 2020.

This paper describes the simple, cost effective and robust methodology for electronic site safety cases currently being utilised by Defence Munitions (DM) to demonstrate that all its depots have a consolidated risk management approach to their wide ranging activities, which meets the significant regulatory burden applicable to a complex industrial site dealing with high explosives, fuel and chemical hazards, often in surroundings designated as areas of significant envi-ronmental interest, such as Sites of Special Scientific Interest. Having been suc-cessfully trialled at two sites (DM Kineton and DM Gosport), it is now being rolled out across all DM sites. Although the work described here is in an explosives context, the application of the approach is potentially useful across other complex high risk industrial domains.

This paper introduces the new international Engineering Safety Management (iESM) guidance for the worldwide railway industry been developed by Technical Programme Delivery Ltd and reviewed by an international working group of senior practitioners, supported by MTR Corporation Hong Kong. The aims of the new iESM guidance are to help:

• tackle the pressures from increased complexity of railway systems
• address decreased public and passenger tolerance for avoidable accidents
• focus spending on preventing incidents and smooth the way for acceptance of new technology or novel applications.

The guidance has been written principally for people around the world who use their judgement to take or review decisions that affect railway safety and to help them exercise their judgement in a systematic and informed manner. iESM was launched to enthusiastic support in Hong Kong and Florida in April 2013 and work has continued to develop more detailed guidance application in the areas of inde-pendent assessment, human safety and evaluating risk. The guidance is freely available form www.intesm.org where progressively other useful and relevant information is being made available.

Many of the railway control systems currently in use on the UK rail infrastructure are a patchwork of modern technologies interlaced with remnants of the original Victorian era and therefore many of the current upgrade programmes seek to provide a single control technology for both the infrastructure and the trains. These upgrade programmes have therefore also demanded changes in the technologies that provide train protection systems and train regulation. Perhaps one of the widest ranging changes currently being planned for imminent future implementation is Network Rail’s Traffic Management Solution. This system will be highly dependent on commercial computational platforms and data. While these systems are not new, they are all in existence on other railways around the world, the salient safety issues are the scale, scope and nature of the proposed span of control and the means by which a safety argument may need to be constructed to demonstrate safety. This paper will illustrate the integrity required from the ‘controlling element’, akin to a signalling control centre, and hence identify the significant challenges for the Traffic Management Solution, its equipment and system acceptance.

Safety and security are different but closely related concepts. Security is especially relevant in domains like finance, and safety is especially relevant in domains like healthcare and aviation. We review some of the safety problems besetting healthcare IT systems, and we show that some problems are technically open to improvement. Given that there are almost-free technologies (e.g., as part routine software upgrades) to improve safety, it is important to explore the reasons why healthcare safety does not get the priority that, for instance, security does in finance or safety does in aviation.

In an integrated change management project, human factors and functional safety cannot be considered separately. Both must work closely together to provide appropriate and comprehensive assurance for the introduction of complex changes to safety critical industries. This paper presents case studies of two different projects where safety and human factors were joined up in a coherent set of activities across all project phases. The first project looks at the UK airspace de-sign changes to air traffic management in preparation for the London 2012 Olym-pics. The second examines the introduction of an advanced set of controller tools (iFACTS), introduced at the Swanwick London Area Control Centre in 2011. Both case studies represent examples of effective integration of safety and human factors assurance activities.

The industry has learnt a lot about ‘safety culture’ through safety incidents. The need to create a method to establish safety culture is gaining a lot of importance. The industry as on date lacks a standard model to determine the value of safety associated with safety culture. The proposed Safety Maturity Model (SaMM) will assist organizations engaged in developing safety applications (products and associated services) in defining empirical measurements to measure the safety maturity and safety capability index. This would in turn enable organizations to identify the actions required to improve safety culture and capability. The model is based on industry safety and security standards and CMMI. SaMM assesses the current state and proposes methods to continuously improve the safety culture and reduce the residual safety risk of the organization. SaMM proposes four maturity levels – performing, managing, predicting and optimizing. Each level will have focus areas and associated conditions of satisfaction. SaMM proposes measurements around each level which can be used to measure the capability index and safety maturity. SaMM will potentially increase the confidence in using the safety products among the users and will potentially reduce the product recalls for the Original Equipment Manufacturers (OEMs) and improve the safety culture.

Within the aviation regulatory system the current system safety assessment requirements have been around for 30 years or so and have made significant improvements in overall systems integrity, reliability and safety. However, these requirements are underpinned by some simple assumptions on system design whose continued use may no longer be regarded as appropriate given the highly integrated and complex systems in modern aircraft and the ever more integrated total aviation system that is currently being developed. This paper discusses some potential implications of this and questions what should we be considering for the future.

In this paper the requirements of the upgrade of a cockpit avionics display for a military rotary-wing platform will be presented. The use of open standards-based architectures including ARINC 653 and ARINC 661 with COTS hardware platforms to meet these requirements will be considered. Experience gained by the use of these technologies on a European military helicopter programme will be presented, including the benefits of modular and incremental safety certification and positive impact in reducing operational and through-life costs.

The control and protection of nuclear power plants has become increasingly dependent on the use of computers. The UK nuclear regulatory regime requires that a safety case be developed to justify and communicate their safety. There are several ways of constructing such a safety case. In the past, safety justifications tended to be standards-based – compliance to accepted practice was deemed to imply adequate safety. Over the last 20 years, there has been a trend towards an explicit claim-based approach, where specific safety claims are supported by ar-guments and evidence at progressively more detailed levels. These approaches are not mutually exclusive, and a combination can be used to support a safety justifi-cation. In fact, for the most critical systems it can be argued that a safety case should consider both aspects. For less critical systems, one might believe that one approach would suffice. This paper discusses software-based systems with only a modest integrity requirement, and the interplay of the two approaches. It describes our experience with justifying such systems for the nuclear industry, and it claims that there are a number of benefits of taking both approaches together.

Multiple failures of components due to shared causes, also known as Common Cause Failures (CCF), comprise an important class of failure types. These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept. Whereas a qualitative assessment of CCF can be regarded as common practice, the exact numerical impact of CCF is usually less widely understood. Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within fault trees and RBDs. Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis, an implicit representation of CCF therefore is often preferred but involves in-depth knowledge of underlying mathematical models. This paper aims to enable safety experts to make a fast, simple but effective RAM-analysis including CCF. Popular CCF models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM project. The single-parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM applications. Based on this model, results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements.

Standardisation, organisation and control have brought economic benefits through the application of computer based systems to large governmental, industrial and retail organisations. These benefits are also being sought from areas and organisations with a safety related context. Typically these systems employ standardised applications and large volumes of data. Such data represents individ-uals, system elements, their relationships and histories. Application areas span health care provision to transportation, welfare to governmental policy. In these systems it is often unclear how data errors influence the overall system behaviour or individual system outcomes. This paper provides a framework to classify the use (and reuse) of data within such systems. In addition this paper seeks to identify the ‘barriers to escalation’ that would mitigate the influence of data errors on system safety and restrict their propagation across the connected systems.

Given that we cannot prove the safety of software (in a system context) we are forced to wrestle with the issue of confidence in software certification. Some draw confidence from compliance with software assurance standards and believe this is sufficient, yet we do not have consensus in these standards. Some establish confidence through the process of constructing and presenting a software assurance case, but ignore the experience and ‘body of knowledge’ provided by standards. Some (sensibly) use a combination of these approaches. Using a framework of 4+1 principles of software safety assurance, this paper discusses where and how in current safety-critical software development and assessment approaches confidence is typically won and lost. Based on this assessment, we describe how the activity and structure of an assurance case should best be targeted to explicitly address issues of confidence.

Procurement of safety-critical and safety-related systems is a complex process involving both technical and social acceptance processes. There are a number of modelling techniques that can be used to analyse system failures – such as Systems Theoretic Accident Modelling and Processes (STAMP), responsibility modelling, and Human Factors Analysis and Classification System (HFACS). This paper undertakes a retrospective analysis of a major Ministry of Defence (MoD) aircraft accident using two techniques to try and identify the system failures associated with the procurement of software. This is undertaken via application of two differing techniques and an analysis of the results obtained. The analysis highlights many potential system failures across a diverse set of groupings in-cluding skill based, financial/resource based and process based failures. The anal-ysis demonstrates that the techniques have particular strengths but also that they do not cover all potential issues. Finally, the paper proposes that there are more important lessons to be learned – such as the socio-technical issues surrounding the decision making processes. The use of such models could be extended to include the determination and analy-sis of safety acceptance decision processes thus identifying where confidence is required to support the decision making process prior to it being necessary.

Safety-critical systems increasingly rely on the correct operation of software, and software relies on the correct operation of the compiler. Even for a superficially simple language such as C, the compiler is an extremely complex program, and any development uses only a subset of the compiler's capabilities. This paper builds on the observation that checking the correctness of the output of an algorithm is easier than checking the algorithm itself, and argues that validating a particular compilation is more productive than validating the compiler itself. We describe techniques previously proposed for validating compilations and present a more practical alternative.