Download presentation
Presentation is loading. Please wait.
Published byJessica McClure Modified over 10 years ago
1
Whole Airspace Safety Case Meeting – Overview of Prior Work – 1 Whole Airspace Safety Case Meeting Overview of Prior Work Tim Kelly John McDermid Department of Computer Science University of York, UK
2
Whole Airspace Safety Case Meeting – Overview of Prior Work – 2 Research in York High Integrity Systems Engineering (HISE) Group safety, systems and software engineering strong links with aerospace industry BAE SYSTEMS, Rolls-Royce other links DaimlerChrysler, Siemens Work on safety cases over nearly a decade principles of structuring safety cases and presenting arguments goal structuring notation (GSN) GSN supported by commercial tools SAM, Adelard ASCE ongoing research, e.g. to modularise safety cases Also teaching via MSc and for industrial clients
3
Whole Airspace Safety Case Meeting – Overview of Prior Work – 3 Safety Case as a Logical Concept The Safety Case is the totality of the safety justification + all the supporting material: testing reports, validation reports, relevant design information etc The Safety Case Report is the document that summarises all the key components of the Safety Case and references all supporting documentation in a clear and concise format We wish to steer away from the Safety Case = Document paradigm
4
Whole Airspace Safety Case Meeting – Overview of Prior Work – 4 Starting Point: Argument & Evidence A safety case requires two elements: Supporting Evidence Results of observing, analysing, testing, simulating and estimating the properties of a system that provide the fundamental information from which safety can be inferred High Level Argument Explanation of how the available evidence can be reasonably interpreted as indicating acceptable safety – usually by demonstrating compliance with requirements, sufficient mitigation / avoidance of hazards etc Argument without Evidence is unfounded Evidence without Argument is unexplained Much of our prior work has focused upon establishing better means of developing, presenting, maintaining and reuse safety arguments
5
Whole Airspace Safety Case Meeting – Overview of Prior Work – 5 Safety Case Contents Exact contents depends on regulatory environment The following are key elements of most standards: scope system description system hazards safety requirements risk assessment hazard control / risk reduction measures safety analysis / test safety management system development process justification conclusions However …
6
Whole Airspace Safety Case Meeting – Overview of Prior Work – 6 Safety Case is NOT just a collection of disparate pieces of information Safety Argument should form the spine of the Safety Case showing how these elements are related and combined to provide assurance of safety within the limits defined [Scope], the system [System Description] is SAFE because all identified hazards [System Hazards] and requirements [Safety Requirements] have been addressed. Hazards have been sufficiently controlled and mitigated [Hazard Control / Risk Reduction Measures] according to the safety risk posed [Risk Assessment]. Evidence [Safety Analysis / Test] is provided that demonstrates the effectiveness and sufficiency of these measures. Appropriate roles, responsibilities and methods were defined throughout the development of this system [Development Process Justification] [Safety Management System] and defined future operation Safety Arguments
7
Whole Airspace Safety Case Meeting – Overview of Prior Work – 7 The Goal Structuring Notation 1 Purpose of a Goal Structure To show how goals are broken down into sub-goals, and eventually supported by evidence (solutions) whilst making clear the strategies adopted, the rationale for the approach (assumptions, justifications) and the context in which goals are stated A/J
8
Whole Airspace Safety Case Meeting – Overview of Prior Work – 8 A Simple Goal Structure
9
Whole Airspace Safety Case Meeting – Overview of Prior Work – 9 GSN: Advantages and Disadvantages Advantages: Simple Structured Hierarchical Breakdown Expressive (captures the elements most important to safety arguments) & Capable Can be used at various stages of argument development Method guidance exists (e.g. concerning syntax) Semantics well defined and understood Increasingly being adopted by companies Disadvantages: Learning curve (Easy to read, harder to write) Doesnt stop you writing bad arguments!
10
Whole Airspace Safety Case Meeting – Overview of Prior Work – 10 Existing GSN Applications MoD: Site Safety Justifications (Complex Multi-facility, Multi-role safety case) BAE SYSTEMS: (Parts of) Eurofighter Safety Justifications Railtrack / Siemens: Dorset Coast Re-signalling Project BAE SYSTEMS: (Parts of) Nimrod BAE SYSTEMS: South African Hawk MoD: Harrier Informative parts of CAA SW01 RR: Various Submarine Propulsion Justifications RAF: UK ASACS – Military Air Traffic Management Westinghouse: Underground Jubilee Line Extension Swedish Air Traffic Control Systems …
11
Whole Airspace Safety Case Meeting – Overview of Prior Work – 11 Safety Case Patterns Rather than successful ways of putting buildings or software objects together... Capture successful argument approaches that can be used within the safety case Best practice arguments, capturing: Company expertise Successful certification approaches Tools of the trade Dealing with the semantics rather than the syntax of the safety case Combines the two elements of GSN & Patterning
12
Whole Airspace Safety Case Meeting – Overview of Prior Work – 12 Instantiate and Develop Instantiate Choose GSN Pattern Description GSN extended to support structural & entity abstraction in order to represent generalised arguments. Multiplicity
13
Whole Airspace Safety Case Meeting – Overview of Prior Work – 13 Safety Case Pattern Examples Patterns emerge at many different levels in a safety argument: Top Down: e.g. Hazard Directed Breakdown Bottom Up: e.g. Fault Tree Evidence General Construction: e.g. Safety Margin There are opportunities for both: Horizontal Reuse (across domains) e.g. Software Integrity Argument, ALARP Vertical Reuse (within a specific domain) e.g. against MoD Safety Assessment Principles Examples of Domain Specific, Company Derived, GSN Pattern Catalogues exist – e.g. Westinghouse Jubilee Line work, ongoing NATS work (Process Arguments)
14
Whole Airspace Safety Case Meeting – Overview of Prior Work – 14 Modular Safety Cases An attempt to establish a modular, compositional, approach to constructing safety cases that has a correspondence with the structure of the system underlying architecture Many possible uses Integrated Modular Avionics (Application and Infrastructure) Safety Cases System of Systems Safety Case interrelation System Software Safety Case interrelation
15
Whole Airspace Safety Case Meeting – Overview of Prior Work – 15 Safety Case Module Partitioning (Assuming a top-down progression of objectives- argument-evidence) Safety cases can be partitioned into modules both horizontally and vertically: Vertical (Hierarchical) Partitioning - Claims of one safety argument serving as objectives of another (e.g. simple system-software safety case split) Horizontal Partitioning - One argument providing the assumed context of another (e.g. argument that All system hazards have been identified assumed context of an argument that All identified system hazards have been sufficiently mitigated)
16
Whole Airspace Safety Case Meeting – Overview of Prior Work – 16 Safety Case Module Interfaces Safety case module interface must identify: Arguments, evidence and context of the module itself + How safety case module depends upon the arguments, evidence or assumed context of other modules Example interface format: 1.Objectives addressed by the module 2.Evidence presented within the module 3.Context defined within the module 4.Arguments requiring support from other modules Inter-module dependencies: 5.Reliance on objectives addressed elsewhere 6.Reliance on evidence presented elsewhere 7.Reliance on context defined elsewhere
17
Whole Airspace Safety Case Meeting – Overview of Prior Work – 17 Handling Modules in GSN Away Goal Safety Case Module
18
Whole Airspace Safety Case Meeting – Overview of Prior Work – 18 GSN Based Safety Case Interface (1)
19
Whole Airspace Safety Case Meeting – Overview of Prior Work – 19 Safety Case Contracts Explicitly recorded basis of agreement between two interrelated safety case modules
20
Whole Airspace Safety Case Meeting – Overview of Prior Work – 20 Summary The Goal Structuring Notation provides means of explicitly developing and presenting safety arguments Most benefit if applied early in lifecycle Safety Case Patterns help capture common forms of argument that exist in safety cases Can be useful in attempting to standardise structure of arguments constructed Safety Case Modules provide means managing partitioned safety case arguments and the interrelationships that exist between partitions Useful concept for planning safety cases in-the-large Already considerable take up of GSN Expect patterns and modules to help with broader acceptance Probably necessary to deal with a whole airspace safety case
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.