Whole Airspace Safety Case Meeting – Overview of Prior Work – 1 Whole Airspace Safety Case Meeting Overview of Prior Work Tim Kelly John McDermid Department.

Slides:



Advertisements
Similar presentations
Planning Reports and Proposals
Advertisements

Chapter 7 System Models.
Software Re-engineering
1 Probability and the Web Ken Baclawski Northeastern University VIStology, Inc.
Emerging Ontology Work Product Showcase 1 The EDM Council Semantics Repository: Building global consensus for the Financial Services Industry Mike Bennett.
Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 Welcome Safety Regulatory Function Handbook April 2006.
Data Architecture at CIA Dave Roberts Chief Technical Officer Application Services, CIO CIA
SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.
1 Practical Work and Experience With Performance Management ICAO Performance Management Symposium John Crichton, President and CEO NAV CANADA March 28,
Module N° 7 – Introduction to SMS
Whole Airspace ATM System Safety Case - Preliminary Study
Limitations of the relational model 1. 2 Overview application areas for which the relational model is inadequate - reasons drawbacks of relational DBMSs.
Audit Evidence Week 11.
|epcc| NeSC Workshop Open Issues in Grid Scheduling Ali Anjomshoaa EPCC, University of Edinburgh Tuesday, 21 October 2003 Overview of a Grid Scheduling.
Dependability analysis and evolutionary design optimisation with HiP-HOPS Dr Yiannis Papadopoulos Department of Computer Science University of Hull, U.K.
Project Appraisal Module 5 Session 6.
School Based Assessment and Reporting Unit Curriculum Directorate
IBM Corporate Environmental Affairs and Product Safety
Quality Assurance/Quality Control Plan Evaluation February 16, 2005.
Safety Cases: Purpose, Process and Prospects John McDermid, OBE FREng University of York UK.
Effective Contract Management Planning
Mapping Assurance to the Software Engineering Process Alfred H. Kromholz, Ph.D. The MITRE Corporation mitre.org Copyright © 2004.
Component-Based Software Engineering Main issues: assemble systems out of (reusable) components compatibility of components.
How to commence the IT Modernization Process?
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement 1.
Air Transport Association of Canada A presentation by John McKenna ATAC President and CEO.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management.
Lecture 6: Software Design (Part I)
Using UML, Patterns, and Java Object-Oriented Software Engineering Chapter 1: Introduction.
Internal Control–Integrated Framework
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Addition 1’s to 20.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapters 1,3 Slide 1 Software Engineering Software Engineering.
1 Safety Assurance JPDO Perspective Maureen Keegan 11 October, 2012.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
The design process IACT 403 IACT 931 CSCI 324 Human Computer Interface Lecturer:Gene Awyzio Room:3.117 Phone:
Process Improvement.
1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.
Industrial Avionics Working Group 19/04/07 Modular Certification Developing Safety Case Modules.
Industrial Avionics Working Group 13/09/06 Incremental Certification Phil Williams – General Dynamics (UK) Ltd Representing the Industrial Avionics Working.
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
Industrial Avionics Working Group 19/04/07 Architecture Integration.
Iterative development and The Unified process
ISO 9001 Interpretation : Exclusions
Industrial Avionics Working Group 18/04/07 Modular Certification Safety Case Contracts.
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.
Course Instructor: Aisha Azeem
Exmouth House 3–11 Pine Street London EC1R 0JH T F E W CAE – Next generation and Building.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
T. Dawson, TASC 9/11/13 Use of a Technical Reference in NASA IV&V.
1 Introduction to Software Engineering Lecture 1.
Open Platform for EvolutioNary Certification Of Safety-critical Systems Large-scale integrating project (IP) Nuanced Term-Matching to Assist in Compositional.
Copyright Prof. Dr. Shuichiro Yamamoto Prof. Dr. Shuichiro Yamamoto Nagoya University.
Software Safety Case Why, what and how… Jon Arvid Børretzen.
Specific Safety Requirements on Safety Assessment and Safety Cases for Predisposal Management of Radioactive Waste – GSR Part 5.
Making knowledge work harder Process Improvement.
Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.
International Atomic Energy Agency Regulatory Review of Safety Cases for Radioactive Waste Disposal Facilities David G Bennett 7 April 2014.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Banaras Hindu University. A Course on Software Reuse by Design Patterns and Frameworks.
Process 4 Hours.
The design process Software engineering and the design process for interactive systems Standards and guidelines as design rules Usability engineering.
The design process Software engineering and the design process for interactive systems Standards and guidelines as design rules Usability engineering.
CSSSPEC6 SOFTWARE DEVELOPMENT WITH QUALITY ASSURANCE
Chapter 9 Architectural Design.
Presentation transcript:

Whole Airspace Safety Case Meeting – Overview of Prior Work – 1 Whole Airspace Safety Case Meeting Overview of Prior Work Tim Kelly John McDermid Department of Computer Science University of York, UK

Whole Airspace Safety Case Meeting – Overview of Prior Work – 2 Research in York High Integrity Systems Engineering (HISE) Group safety, systems and software engineering strong links with aerospace industry BAE SYSTEMS, Rolls-Royce other links DaimlerChrysler, Siemens Work on safety cases over nearly a decade principles of structuring safety cases and presenting arguments goal structuring notation (GSN) GSN supported by commercial tools SAM, Adelard ASCE ongoing research, e.g. to modularise safety cases Also teaching via MSc and for industrial clients

Whole Airspace Safety Case Meeting – Overview of Prior Work – 3 Safety Case as a Logical Concept The Safety Case is the totality of the safety justification + all the supporting material: testing reports, validation reports, relevant design information etc The Safety Case Report is the document that summarises all the key components of the Safety Case and references all supporting documentation in a clear and concise format We wish to steer away from the Safety Case = Document paradigm

Whole Airspace Safety Case Meeting – Overview of Prior Work – 4 Starting Point: Argument & Evidence A safety case requires two elements: Supporting Evidence Results of observing, analysing, testing, simulating and estimating the properties of a system that provide the fundamental information from which safety can be inferred High Level Argument Explanation of how the available evidence can be reasonably interpreted as indicating acceptable safety – usually by demonstrating compliance with requirements, sufficient mitigation / avoidance of hazards etc Argument without Evidence is unfounded Evidence without Argument is unexplained Much of our prior work has focused upon establishing better means of developing, presenting, maintaining and reuse safety arguments

Whole Airspace Safety Case Meeting – Overview of Prior Work – 5 Safety Case Contents Exact contents depends on regulatory environment The following are key elements of most standards: scope system description system hazards safety requirements risk assessment hazard control / risk reduction measures safety analysis / test safety management system development process justification conclusions However …

Whole Airspace Safety Case Meeting – Overview of Prior Work – 6 Safety Case is NOT just a collection of disparate pieces of information Safety Argument should form the spine of the Safety Case showing how these elements are related and combined to provide assurance of safety within the limits defined [Scope], the system [System Description] is SAFE because all identified hazards [System Hazards] and requirements [Safety Requirements] have been addressed. Hazards have been sufficiently controlled and mitigated [Hazard Control / Risk Reduction Measures] according to the safety risk posed [Risk Assessment]. Evidence [Safety Analysis / Test] is provided that demonstrates the effectiveness and sufficiency of these measures. Appropriate roles, responsibilities and methods were defined throughout the development of this system [Development Process Justification] [Safety Management System] and defined future operation Safety Arguments

Whole Airspace Safety Case Meeting – Overview of Prior Work – 7 The Goal Structuring Notation 1 Purpose of a Goal Structure To show how goals are broken down into sub-goals, and eventually supported by evidence (solutions) whilst making clear the strategies adopted, the rationale for the approach (assumptions, justifications) and the context in which goals are stated A/J

Whole Airspace Safety Case Meeting – Overview of Prior Work – 8 A Simple Goal Structure

Whole Airspace Safety Case Meeting – Overview of Prior Work – 9 GSN: Advantages and Disadvantages Advantages: Simple Structured Hierarchical Breakdown Expressive (captures the elements most important to safety arguments) & Capable Can be used at various stages of argument development Method guidance exists (e.g. concerning syntax) Semantics well defined and understood Increasingly being adopted by companies Disadvantages: Learning curve (Easy to read, harder to write) Doesnt stop you writing bad arguments!

Whole Airspace Safety Case Meeting – Overview of Prior Work – 10 Existing GSN Applications MoD: Site Safety Justifications (Complex Multi-facility, Multi-role safety case) BAE SYSTEMS: (Parts of) Eurofighter Safety Justifications Railtrack / Siemens: Dorset Coast Re-signalling Project BAE SYSTEMS: (Parts of) Nimrod BAE SYSTEMS: South African Hawk MoD: Harrier Informative parts of CAA SW01 RR: Various Submarine Propulsion Justifications RAF: UK ASACS – Military Air Traffic Management Westinghouse: Underground Jubilee Line Extension Swedish Air Traffic Control Systems …

Whole Airspace Safety Case Meeting – Overview of Prior Work – 11 Safety Case Patterns Rather than successful ways of putting buildings or software objects together... Capture successful argument approaches that can be used within the safety case Best practice arguments, capturing: Company expertise Successful certification approaches Tools of the trade Dealing with the semantics rather than the syntax of the safety case Combines the two elements of GSN & Patterning

Whole Airspace Safety Case Meeting – Overview of Prior Work – 12 Instantiate and Develop Instantiate Choose GSN Pattern Description GSN extended to support structural & entity abstraction in order to represent generalised arguments. Multiplicity

Whole Airspace Safety Case Meeting – Overview of Prior Work – 13 Safety Case Pattern Examples Patterns emerge at many different levels in a safety argument: Top Down: e.g. Hazard Directed Breakdown Bottom Up: e.g. Fault Tree Evidence General Construction: e.g. Safety Margin There are opportunities for both: Horizontal Reuse (across domains) e.g. Software Integrity Argument, ALARP Vertical Reuse (within a specific domain) e.g. against MoD Safety Assessment Principles Examples of Domain Specific, Company Derived, GSN Pattern Catalogues exist – e.g. Westinghouse Jubilee Line work, ongoing NATS work (Process Arguments)

Whole Airspace Safety Case Meeting – Overview of Prior Work – 14 Modular Safety Cases An attempt to establish a modular, compositional, approach to constructing safety cases that has a correspondence with the structure of the system underlying architecture Many possible uses Integrated Modular Avionics (Application and Infrastructure) Safety Cases System of Systems Safety Case interrelation System Software Safety Case interrelation

Whole Airspace Safety Case Meeting – Overview of Prior Work – 15 Safety Case Module Partitioning (Assuming a top-down progression of objectives- argument-evidence) Safety cases can be partitioned into modules both horizontally and vertically: Vertical (Hierarchical) Partitioning - Claims of one safety argument serving as objectives of another (e.g. simple system-software safety case split) Horizontal Partitioning - One argument providing the assumed context of another (e.g. argument that All system hazards have been identified assumed context of an argument that All identified system hazards have been sufficiently mitigated)

Whole Airspace Safety Case Meeting – Overview of Prior Work – 16 Safety Case Module Interfaces Safety case module interface must identify: Arguments, evidence and context of the module itself + How safety case module depends upon the arguments, evidence or assumed context of other modules Example interface format: 1.Objectives addressed by the module 2.Evidence presented within the module 3.Context defined within the module 4.Arguments requiring support from other modules Inter-module dependencies: 5.Reliance on objectives addressed elsewhere 6.Reliance on evidence presented elsewhere 7.Reliance on context defined elsewhere

Whole Airspace Safety Case Meeting – Overview of Prior Work – 17 Handling Modules in GSN Away Goal Safety Case Module

Whole Airspace Safety Case Meeting – Overview of Prior Work – 18 GSN Based Safety Case Interface (1)

Whole Airspace Safety Case Meeting – Overview of Prior Work – 19 Safety Case Contracts Explicitly recorded basis of agreement between two interrelated safety case modules

Whole Airspace Safety Case Meeting – Overview of Prior Work – 20 Summary The Goal Structuring Notation provides means of explicitly developing and presenting safety arguments Most benefit if applied early in lifecycle Safety Case Patterns help capture common forms of argument that exist in safety cases Can be useful in attempting to standardise structure of arguments constructed Safety Case Modules provide means managing partitioned safety case arguments and the interrelationships that exist between partitions Useful concept for planning safety cases in-the-large Already considerable take up of GSN Expect patterns and modules to help with broader acceptance Probably necessary to deal with a whole airspace safety case

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.