System Safety. M12 Safety Cases and Arguments V1.0. Matthew Squair. 12 October 2015
|
|
- Antony Bridges
- 6 years ago
- Views:
Transcription
1 System Safety M12 Safety Cases and Arguments V1.0 Matthew Squair 12 October Matthew Squair M12 Safety Cases and Arguments V1.0
2 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 2 Matthew Squair M12 Safety Cases and Arguments V1.0
3 Introduction 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 3 Matthew Squair M12 Safety Cases and Arguments V1.0
4 Introduction Learning outcomes Understand what a safety case is Be able to critically review the content and argument of a safety case Be able to structure and prepare the content of a safety case Understand the strengths and weaknesses of the technique 4 Matthew Squair M12 Safety Cases and Arguments V1.0
5 Overview 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 5 Matthew Squair M12 Safety Cases and Arguments V1.0
6 Overview Overview The Nimrod safety case process was fatally undermined by a general malaise: a widespread assumption... that the Nimrod was safe anyway (because it had successfully flow for 30 years) and the task of drawing up the safety case became essentially a paperwork and tickbox exercise. C. Haddon Cave, The Nimrod Review 6 Matthew Squair M12 Safety Cases and Arguments V1.0
7 Overview Overview Safety cases Originated in the British chemical industry CIMAH regulations Applied to oil industry after the Piper Alpha oil rig fire Applied to UK Rail after Clapham junction accident Have become part of the EU safety culture Embedded in various safety standards DEF-STAN DEF (AUST) 5679 Australian DMO SAMS Framework CMMI SAFE+ IEC Matthew Squair M12 Safety Cases and Arguments V1.0
8 Overview Overview Despite it s prevalence there are serious concerns about it s practical application [Haddon-Cave 2009] and theoretical underpinnings We ll look at the theory and application of safety cases with a focus on arguments in the context of acquisition We ll also discuss the problems and limitations of safety cases 8 Matthew Squair M12 Safety Cases and Arguments V1.0
9 Overview How is a safety case different to MIL-STD-882? A MIL-STD-882 system safety program Is acquisition focused (customer-supplier) Addresses proximal (system) causes of accidents Safety Assessment Report is analogue ish to a safety case A Safety Case Can be operation (operator-regulator) Convince a regulator the plant is safe to operate (WHS) Can be acquisition developed (DEF STAN ) Can be goal (more usual) or rule/standard based* *Safety cases have traditionally formed part of goal (performance) based safety regimes 9 Matthew Squair M12 Safety Cases and Arguments V1.0
10 Overview Why do it? Various reasons You may need a tool to manage operational safety You may wish to reduce liability risk The regulator may require as a permit to operate You may want to structure and organise safety documentation You may want to communicate system risk to stakeholders Be clear about the purpose Different stakeholders may mean very different things when it comes to safety cases, be clear about your purpose and who it serves when you prepare one 10 Matthew Squair M12 Safety Cases and Arguments V1.0
11 Overview Key definitions Safety argument. A safety argument is a clear, comprehensive and defensible argument that explains how the available evidence supports the overall claim of acceptable safety within a particular context [Kelly 1998] Safety case. A safety case is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is acceptably safe for a given application in a given environment (i.e a context) [MOD (UK) 2007] Safety case report. The physical artifact(s) that presents the safety argument and case. Normally the safety case report is not a standalone document and will refer out to supporting evidence. 11 Matthew Squair M12 Safety Cases and Arguments V1.0
12 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 12 Matthew Squair M12 Safety Cases and Arguments V1.0
13 Methodology [Bishop, Bloomfield 1998] 1 Identify safety requirements 2 Identify system architecture and outline the safety case 3 Assessment (preliminary) of concept design safety trades 4 Progressive elaboration of the design & safety case in parallel 5 Integrate into final safety case 6 Plan for long-term support infrastructure 7 Review and approval 8 Long-term monitoring and audits of areas of concern of support processes to gather field evidence to support assumptions 9 Revise to reflect system and context changes 13 Matthew Squair M12 Safety Cases and Arguments V1.0
14 Contents of a safety case Contents Contains at a minimum[kelly 1998]: Supporting evidence on which the case is based, because argument without evidence is unfounded A high level argument, because evidence without argument is unexplained May include a number of separate sub-arguments A convergent conclusion as to the acceptability of the system A meta-argument as to why the argument and evidence should be believed because both evidence and argument can be faulty [Hawkins et al., 2011] Is the totality of the safety evidence NOT just a safety case report Structure and organisation is essential to achieve clarity 14 Matthew Squair M12 Safety Cases and Arguments V1.0
15 Contents of a safety case Toulmin s model of practical arguments Current practices in formal safety argument are based on the practical argument model [Toulmin 1958] Focuses on the justification aspects of arguments rather than inferential. Argument parts consist of facts (evidence), conclusions, warrants, backing and qualifiers The warrant is why it s considered to move from the fact to the conclusion The rebuttal is a legitimate constraint that may be placed on the conclusion drawn Backing is evidence introduced if the warrant on the face of it is not credible 15 Matthew Squair M12 Safety Cases and Arguments V1.0
16 Contents of a safety case Toulmin s model (cont d) 16 Matthew Squair M12 Safety Cases and Arguments V1.0
17 Contents of a safety case A small philosophical quibble The problem is that Toulmin developed his model so that one could analyse an argument, that is argument is used in the verb sense Safety arguments tend to inherently skew to an advocacy position, and the rebuttal part of Toulmin s model gets overlooked, that is in safety arguments the word argument is used as a noun From there it is a small step to the narrative fallacy e.g. presenting all that good data that the system is safe 17 Matthew Squair M12 Safety Cases and Arguments V1.0
18 Contents of a safety case A small philosophical quibble The problem is that Toulmin developed his model so that one could analyse an argument, that is argument is used in the verb sense Safety arguments tend to inherently skew to an advocacy position, and the rebuttal part of Toulmin s model gets overlooked, that is in safety arguments the word argument is used as a noun From there it is a small step to the narrative fallacy e.g. presenting all that good data that the system is safe Of course there s very little evidence of rare catastrophic events because they re, well, rare Matthew Squair M12 Safety Cases and Arguments V1.0
19 Formal notations Formal notation for safety arguments Two formal notations are available Goal Structuring Notation (GSN). Developed by Kelly & others, there is a GSN community standard Claims, Arguments, Evidence (CAE). Developed by Bishop & others, supported by Adelard s Safety Case Editor tool Both are graphical in nature to assist in clarity of argument Both are based on Toulmin s practical argument structure Clarity does not denote soundness The use of one particular notation or another does not infer any greater or lesser soundness upon the actual worth of the argument 18 Matthew Squair M12 Safety Cases and Arguments V1.0
20 Formal notations Graphical notations for safety arguments GNS versus CAE notation 19 Matthew Squair M12 Safety Cases and Arguments V1.0
21 Developing the safety case Developing the safety argument (GSN notation) 1 Establish top level goals (customer/statutory) 2 Record the stakeholders for the goals 3 Define derived requirements (standards, codes etc) 4 Establish (3) as goals (or constraints) and link to top goals 5 Break down the top level goals into sub-goals 6 Show how design & analysis decisions meet goals via strategies 7 Record the decisions as they are made 8 Justify strategies Evidence versus argument Evidence without argument is unexplained, argument without evidence is unfounded 20 Matthew Squair M12 Safety Cases and Arguments V1.0
22 Developing the safety case Example fragment of a safety argument in GSN notation 21 Matthew Squair M12 Safety Cases and Arguments V1.0
23 Developing the safety case Dealing with scale and complexity GSN has been extended in reason years to include Safety case modules. Allow the partitioning of cases into more easily managed modules and module interfaces (systems of systems approach) Safety case patterns. Standardised templates to encourage re-use of successful arguments [Kelly, McDermid 1997] 22 Matthew Squair M12 Safety Cases and Arguments V1.0
24 Developing the safety case Example modular safety case Figure: Eurocontrol RVSM pre-implementation safety case 23 Matthew Squair M12 Safety Cases and Arguments V1.0
25 Developing the safety case Example modular safety case (cont d) Figure: Eurocontrol RVSM Implementation module 24 Matthew Squair M12 Safety Cases and Arguments V1.0
26 Developing the safety case Safety case patterns Figure: Safety pattern: functional safety argument 25 Matthew Squair M12 Safety Cases and Arguments V1.0
27 Maintaining the safety case Safety case maintenance In theory, a safety case should be maintained till system retirement Example The Long Term Safety Review of the U.Ks Magnox reactors, quoted in [Kelly 1998] found that lack of maintenance to the original safety case had caused it to become inconsistent with current plant design and operations. The review further found that adding to and re-evaluating a safety case that has become out of date with respect to current safety standards was problematic In practice, unless effort is expended to maintain the case it rapidly falls out of date A commitment to maintain requires regulatory & corporate buy in For some facilities (such as nuclear) the system life may be up to a century, longevity of evidence becomes a problem 26 Matthew Squair M12 Safety Cases and Arguments V1.0
28 Maintaining the safety case Safety case maintenance One of the biggest challenges is maintaining the safety case in the face of system changes We would like to use the safety case to assess changes for safety impact We also have to repair the case after a change has been made, hopefully in a cost effective fashion A graphical safety argument with traceability structures is invaluable for these purposes [Kelly, McDermid 2001] 27 Matthew Squair M12 Safety Cases and Arguments V1.0
29 Challenging the safety case Safety arguments as scientific hypothesis The best tool that we have for differentiating between a good theory and a bad one is the scientific method: our hypothesis is that our system is safe the argument is why we think this is justified in science a justifiable hypothesis is not considered proven in science the hypothesis is then challenged by others but with safety argument is this (ever) the case? The safety case as proof fallacy An unchallenged safety case is essentially an appeal to authority argument, authority in this case being how impressive the report is 28 Matthew Squair M12 Safety Cases and Arguments V1.0
30 Challenging the safety case So how do we challenge a safety case? Four broad avenues of attack: Deconstruction Refutation Disconfirming evidence And Matthew Squair M12 Safety Cases and Arguments V1.0
31 Challenging the safety case So how do we challenge a safety case? Four broad avenues of attack: Deconstruction Refutation Disconfirming evidence And... proof by construction that is have an accident or near miss (not recommended) 29 Matthew Squair M12 Safety Cases and Arguments V1.0
32 Challenging the safety case So how do we challenge a safety case? Four broad avenues of attack: Deconstruction Refutation Disconfirming evidence And... proof by construction that is have an accident or near miss (not recommended) The above might seem a lot but (for example) a claim that the likelihood of a LOCA accident is 10 9 per reactor year is a very strong statement, and strong statements demand strong proof surely? 29 Matthew Squair M12 Safety Cases and Arguments V1.0
33 Challenging the safety case Deconstruction Based on the work of french philosopher Jacque Derrida on the theory of meaning (and it s inherent indeterminacy) and his use of it in critiquing philosophical arguments [Armstrong, Paynter 2002] Derrida s view on arguments An argument is defined by what it ignores and the perspectives it opposes (explicitly or implicitly) 30 Matthew Squair M12 Safety Cases and Arguments V1.0
34 Challenging the safety case Deconstructionist technique Develop a counter argument that seems warrantable and use this to expose the internal flaws and contradictions in the original case 1 Reversal. Reverse the argument, ignore how warranted the original is & look for warrantable counter-arguments 2 Displacement. Compare the relative warrantedness of both 3 Evaluate the three possible end states The original argument is found to need revision The counter argument is found to need revision They both turn out to be equally compelling 1 1 Due to the limits of deductive closure 31 Matthew Squair M12 Safety Cases and Arguments V1.0
35 Challenging the safety case Deconstruction (Class exercise) Modelling software reliability Argument. Software failures occur randomly because of the random nature of inputs from the environment that trigger latent faults and that we can apply classical reliability techniques. What might be a warrantable counter argument, or arguments? 32 Matthew Squair M12 Safety Cases and Arguments V1.0
36 Challenging the safety case Refutation of argument [Greenwell et al. 2006] Challenge the specific arguments on the basic of fallacious argument structures and refute them 33 Matthew Squair M12 Safety Cases and Arguments V1.0
37 Challenging the safety case Disconfirming evidence Challenge the evidence with disconfirming evidence Based on Karl Popper s concept of the science project as one of trying to disconfirm theories not confirm them Consider Quality of the evidence provided (pool size, outlier handling, magic bullet approaches) Hazard control coverage metrics (is the argument vulnerable) Independence and dissimilarity of evidence sources Then go out and gather strongly disconfirming evidence that targets the gaps 34 Matthew Squair M12 Safety Cases and Arguments V1.0
38 But do safety cases work? 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 35 Matthew Squair M12 Safety Cases and Arguments V1.0
39 But do safety cases work? Practical and theoretical problems with the approach A number of of significant safety cases have been reviewed, and problems found with them Magnox reactor safety review Haddon enquiry into the Nimrod disaster Ladkin analysis of the EUROCONTROL RVSM safety case Knight analysis of Opalinus Clay Nuclear repository safety case None of these were minor projects, so it appears that even when great care should be taken, flawed arguments still appear The theoretical problem is that for high consequence systems the likelihood must be very, very low and we must have a very high faith in the argument that this is so. Do we? 36 Matthew Squair M12 Safety Cases and Arguments V1.0
40 Limitations, advantages and disadvantages 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 37 Matthew Squair M12 Safety Cases and Arguments V1.0
41 Limitations, advantages and disadvantages Limitations of the method Limitations Relies upon correspondence between safety argument and safety case Relies upon peoples ability to reason and argue effectively, there s not a lot of evidence that people are actually good at this 38 Matthew Squair M12 Safety Cases and Arguments V1.0
42 Limitations, advantages and disadvantages Advantages Advantages are that Is almost mandatory if working in a goal based regulatory environment Is invaluable in organising the safety program documentation tail Can promote thought and discussion, if used appropriately Can provide a change safety impact assessment capability in service 39 Matthew Squair M12 Safety Cases and Arguments V1.0
43 Limitations, advantages and disadvantages Disadvantages Disadvantages are that it Can become over time, another tick the box exercise Is vulnerable to the narrative fallacy Has a tendency to become an advocacy piece Is very hard to review effectively without formal training Can become an administrative burden that is perpetually chasing the system 40 Matthew Squair M12 Safety Cases and Arguments V1.0
44 Conclusions 1 Introduction 2 Overview 3 Methodology 4 But do safety cases work? 5 Limitations, advantages and disadvantages 6 Conclusions 7 Further reading 41 Matthew Squair M12 Safety Cases and Arguments V1.0
45 Conclusions Conclusions Safety cases emerged out of the political and industrial landscape of England in the late 1970 s, they reflect a particular societal viewpoint on both who should be responsible for managing major hazards should be managed and therefore how they should manage them. They are in the end another tool, neither an end in themselves nor demonstrably the only way to assure the safety of complex systems. Their current demonstrated deficiencies perhaps more demonstrate the difficulty humans have in arguing rigorously and logically, than any specific limitations of the method 42 Matthew Squair M12 Safety Cases and Arguments V1.0
46 Further reading Bibliography [Armstrong, Paynter 2002] Armstrong, J. M. and Paynter, S. P. (2002). Safe Systems: Construction, Destruction and Deconstruction. In: Redmill, F. and Anderson, T. (eds.), Current Issues In Safety Critical Systems, pp , Springer-Verlag, Berlin. [Bishop, Bloomfield 1998] Bishop, P. G. & Bloomfield, R. E. (1998). A Methodology for Safety Case Development. In: F. Redmill & T. Anderson (Eds.), Industrial Perspectives of Safety-critical Systems: Proceedings of the Sixth Safety-critical Systems Symposium, Birmingham [DoD (US) 1993] DoD (US) (1993) Standard Practice for System Safety (1993) US Dept of Defense Standard MIL-STD-882C, 19 January [Greenwell et al. 2006] Greenwell, W. S, Holloway, M., C. Knight, J.C., (2006) A Taxonomy of Fallacies in System Safety Arguments, Proceedings of the 2006 International System Safety Conference. [Haddon-Cave 2009] Cave, C.H. (2006) An Independent Review Into the Broader Issues Surrounding the Loss Of The RAF Nimrod MR2 Aircraft XV230 In Afghanistan in 2006, The Stationary Office, Tech. Rep., Matthew Squair M12 Safety Cases and Arguments V1.0
47 Further reading [Hawkins et al., 2011] Hawkins, R., Kelly, T., Knight, J. and Graydon, P. (2011) A new approach to creating clear safety arguments, in Proc. Safety Critical Systems Symp., Feb [Kelly, McDermid 1997] Kelly T, McDermid J. (1997) Safety case construction and reuse using patterns. In: Proc. 16th Intl. Conf. Computer Safety, Reliability, and Security (SAFECOMP97). New York, [Kelly 1998] Kelly, T.P., (1998) Arguing Safety, A Systematic Approach to Managing Safety Cases, Doctoral Thesis, Dept of Computer Science, University of York [Kelly, McDermid 2001] Kelly T, McDermid J. (2001) A systematic approach to safety case maintenance. Reliability Engineering and System Safety 2001;71(3): [MOD (UK) 2007] UK MoD (2007) Defence Standard Issue 4: Safety management requirements for defence systems, HMSO. [Toulmin 1958] S. E. Toulmin, S.E., (1958) The Uses of Argument, Cambridge University Press, Matthew Squair M12 Safety Cases and Arguments V1.0
Using MIL-STD-882 as a WHS Compliance Tool for Acquisition
Using MIL-STD-882 as a WHS Compliance Tool for Acquisition Or what is This Due Diligence thing anyway? Matthew Squair Jacobs Australia 28-29 May 2015 1 ASSC 2015: Brisbane 28-29 May 2015 Or what is This
More informationRequirements and Safety Cases
Requirements and Safety Cases Prof. Chris Johnson, School of Computing Science, University of Glasgow. johnson@dcs.gla.ac.uk http://www.dcs.gla.ac.uk/~johnson Introduction Safety Requirements: Functional
More informationBackground T
Background» At the 2013 ISSC, the SAE International G-48 System Safety Committee accepted an action to investigate the utility of the Safety Case approach vis-à-vis ANSI/GEIA-STD- 0010-2009.» The Safety
More informationPrincipled Construction of Software Safety Cases
Principled Construction of Software Safety Cases Richard Hawkins, Ibrahim Habli, Tim Kelly Department of Computer Science, University of York, UK Abstract. A small, manageable number of common software
More informationTHE USE OF A SAFETY CASE APPROACH TO SUPPORT DECISION MAKING IN DESIGN
THE USE OF A SAFETY CASE APPROACH TO SUPPORT DECISION MAKING IN DESIGN W.A.T. Alder and J. Perkins Binnie Black and Veatch, Redhill, UK In many of the high hazard industries the safety case and safety
More informationOutline. Outline. Assurance Cases: The Safety Case. Things I Like Safety-Critical Systems. Assurance Case Has To Be Right
Assurance Cases: New Directions & New Opportunities* John C. Knight University of Virginia February, 2008 *Funded in part by: the National Science Foundation & NASA A summary of several research topics
More informationCompliance & Safety. Mark-Alexander Sujan Warwick CSI
Compliance & Safety Mark-Alexander Sujan Warwick CSI What s wrong with this equation? Safe Medical Device #1 + Safe Medical Device #2 = Unsafe System (J. Goldman) 30/04/08 Compliance & Safety 2 Integrated
More informationSafety Assurance: Fact or Fiction?
Proc. of the Australian System Safey Conference (ASSC 2011) Safety Assurance: Fact or Fiction? Carl Sandom isys Integrity Limited 10 Gainsborough Drive Sherborne, Dorset, DT9 6DR, England carl@isys-integrity.com
More informationSAFETY CASE PATTERNS REUSING SUCCESSFUL ARGUMENTS. Tim Kelly, John McDermid
SAFETY CASE PATTERNS REUSING SUCCESSFUL ARGUMENTS Tim Kelly, John McDermid Rolls-Royce Systems and Software Engineering University Technology Centre Department of Computer Science University of York Heslington
More informationDeviational analyses for validating regulations on real systems
REMO2V'06 813 Deviational analyses for validating regulations on real systems Fiona Polack, Thitima Srivatanakul, Tim Kelly, and John Clark Department of Computer Science, University of York, YO10 5DD,
More informationTechnology Transfer: An Integrated Culture-Friendly Approach
Technology Transfer: An Integrated Culture-Friendly Approach I.J. Bate, A. Burns, T.O. Jackson, T.P. Kelly, W. Lam, P. Tongue, J.A. McDermid, A.L. Powell, J.E. Smith, A.J. Vickers, A.J. Wellings, B.R.
More informationSAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,
SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL, 17.02.2017 The need for safety cases Interaction and Security is becoming more than what happens when things break functional
More informationUnderstanding Software Architecture: A Semantic and Cognitive Approach
Understanding Software Architecture: A Semantic and Cognitive Approach Stuart Anderson and Corin Gurr Division of Informatics, University of Edinburgh James Clerk Maxwell Building The Kings Buildings Edinburgh
More informationThe HEAT/ACT Preliminary Safety Case: A case study in the use of Goal Structuring Notation
The HEAT/ACT Preliminary Safety Case: A case study in the use of Goal Structuring Notation Paul Chinneck Safety & Airworthiness Department Westland Helicopters, Yeovil, BA20 2YB, UK chinnecp@whl.co.uk
More informationGoal-Based Safety Cases for Medical Devices: Opportunities and Challenges
Goal-Based Safety Cases for Medical Devices: Opportunities and Challenges Mark-Alexander Sujan 1, Floor Koornneef 2, and Udo Voges 3 1 Health Sciences Research Institute, University of Warwick, Coventry
More informationMyths and Barriers to the Introduction of Safety Cases in Space-Based Systems. Chris W. Johnson (1), Derek A. Robins (2)
Myths and Barriers to the Introduction of Safety Cases in Space-Based Systems Chris W. Johnson (1), Derek A. Robins (2) (1) School of Computing Science, University of Glasgow, Glasgow, UK, G12 8RZ. (2)
More informationSoftware in Safety Critical Systems: Achievement and Prediction John McDermid, Tim Kelly, University of York, UK
Software in Safety Critical Systems: Achievement and Prediction John McDermid, Tim Kelly, University of York, UK 1 Introduction Software is the primary determinant of function in many modern engineered
More informationScientific Certification
Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1 Does The Current Approach Work? Fuel emergency
More informationTHE LABORATORY ANIMAL BREEDERS ASSOCIATION OF GREAT BRITAIN
THE LABORATORY ANIMAL BREEDERS ASSOCIATION OF GREAT BRITAIN www.laba-uk.com Response from Laboratory Animal Breeders Association to House of Lords Inquiry into the Revision of the Directive on the Protection
More informationFuel Cycle Options Analysis
Nuclear Energy University Programs Fuel Cycle Options Analysis Bradley Williams Office of Fuel Cycle Technologies Office of Nuclear Energy U.S. Department of Energy August 10, 2011 Outline Program Overview
More informationShould privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009
Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009 1 Today s presentation Databases solving one problem & creating another What is a privacy impact
More informationThe UK Generic Design Assessment
The UK Generic Design Assessment Dr Diego Lisbona Deputy Delivery Lead Advanced Modular Reactors Nuclear Safety Inspector New Reactors Division Infrastructure Development Working Group (IDWG) workshop,
More informationRobert A. Martin 19 March 2018
Robert A. Martin 19 March 2018 Students helped assemble a collection of commercial IoT devices and record their RF emissions 369 Requests for Information 299 Requests to Register 131 Teams entered
More informationA SYSTEMIC APPROACH TO KNOWLEDGE SOCIETY FORESIGHT. THE ROMANIAN CASE
A SYSTEMIC APPROACH TO KNOWLEDGE SOCIETY FORESIGHT. THE ROMANIAN CASE Expert 1A Dan GROSU Executive Agency for Higher Education and Research Funding Abstract The paper presents issues related to a systemic
More informationKey Lessons From The Nimrod Review Report
Key Lessons From The Nimrod Review Report A Failure of Leadership, Culture and Priorities Charles Haddon-Cave QC Brian Holmes. Director Naval Safety Policy RNZN Outline What happened History of aircraft
More informationCHAPTER 8 RESEARCH METHODOLOGY AND DESIGN
CHAPTER 8 RESEARCH METHODOLOGY AND DESIGN 8.1 Introduction This chapter gives a brief overview of the field of research methodology. It contains a review of a variety of research perspectives and approaches
More informationCRITICAL READING SKILLS
CRITICAL READING SKILLS (1) ESSAY BASICS: O Title topic + main idea O Thesis topic + main idea + support O Support order, tone, relevance, accuracy O Conclusion reiteration, justification, conclusions,
More informationEngineering, Communication, and Safety
Engineering, Communication, and Safety John C. Knight and Patrick J. Graydon Department of Computer Science University of Virginia PO Box 400740, Charlottesville, Virginia 22904-4740, U.S.A {knight graydon}@cs.virginia.edu
More informationAdvanced Impacts evaluation Methodology for innovative freight transport Solutions
Advanced Impacts evaluation Methodology for innovative freight transport Solutions AIMS 3rd Newsletter August 2010 About AIMS The project AIMS is a co-ordination and support action under the 7th Framework
More informationGoals, progress and difficulties with regard to the development of German nuclear standards on the example of KTA 2000
Goals, progress and difficulties with regard to the development of German nuclear standards on the example of KTA 2000 Dr. M. Mertins Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbh ABSTRACT:
More informationIAEA Training in level 1 PSA and PSA applications. PSA Project. IAEA Guidelines for PSA
IAEA Training in level 1 PSA and PSA applications PSA Project IAEA Guidelines for PSA Introduction The following slides present the IAEA documents that deal with procedures, guidance and good practices
More informationLeadership, Safety Culture and Catastrophe: Lessons from 10 Case Studies from 7 Safety Critical Industries
Leadership, Safety Culture and Catastrophe: Lessons from 10 Case Studies from 7 Safety Critical Industries ASPECT 2012-11 th September 2012 Xavier Quayzin 1 Invensys 2012 INTRODUCTION Catastrophic accidents
More informationThe Preliminary Risk Analysis Approach: Merging Space and Aeronautics Methods
The Preliminary Risk Approach: Merging Space and Aeronautics Methods J. Faure, A. Cabarbaye & R. Laulheret CNES, Toulouse,France ABSTRACT: Based on space industry but also on aeronautics methods, we will
More informationTowards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1
Author manuscript, published in "SAFECOMP 2013 - Workshop SASSUR (Next Generation of System Assurance Approaches for Safety-Critical Systems) of the 32nd International Conference on Computer Safety, Reliability
More informationDo safety cases have a role in aircraft certification?
Available online at www.sciencedirect.com Procedia Engineering 17 (2011 ) 358 368 The 2nd International Symposium on Aircraft Airworthiness (ISAA 2011) Do safety cases have a role in aircraft certification?
More informationFocusing Software Education on Engineering
Introduction Focusing Software Education on Engineering John C. Knight Department of Computer Science University of Virginia We must decide we want to be engineers not blacksmiths. Peter Amey, Praxis Critical
More informationOffice for Nuclear Regulation
Summary of Lessons Learnt during Generic Design Assessment (2007 2013) ONR-GDA-SR-13-001 Revision 0 September 2013 1 INTRODUCTION 1 The purpose of this document is to provide a summary of the key lessons
More informationA Hybrid Risk Management Process for Interconnected Infrastructures
A Hybrid Management Process for Interconnected Infrastructures Stefan Schauer Workshop on Novel Approaches in and Security Management for Critical Infrastructures Vienna, 19.09.2017 Contents Motivation
More informationSeeking Obsolescence Tolerant Replacement C&I Solutions for the Nuclear Industry
Seeking Obsolescence Tolerant Replacement C&I Solutions for the Nuclear Industry Issue 1 Date September 2007 Publication 6th International Conference on Control & Instrumentation: in nuclear installations
More informationPutting the Systems in Security Engineering An Overview of NIST
Approved for Public Release; Distribution Unlimited. 16-3797 Putting the Systems in Engineering An Overview of NIST 800-160 Systems Engineering Considerations for a multidisciplinary approach for the engineering
More informationPRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE
PRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE Summary Modifications made to IEC 61882 in the second edition have been
More informationESD Working Paper Series
ESD Working Paper Series The Use of Safety Cases in Certification and Regulation Prof. Nancy Leveson Aeronautics and Astronautics/Engineering Systems Massachusetts Institute of Technology ESD-WP-2011-13
More informationCountering Capability A Model Driven Approach
Countering Capability A Model Driven Approach Robbie Forder, Douglas Sim Dstl Information Management Portsdown West Portsdown Hill Road Fareham PO17 6AD UNITED KINGDOM rforder@dstl.gov.uk, drsim@dstl.gov.uk
More informationBUILDING A SAFER FUTURE GUIDANCE DOCUMENT
BUILDING A SAFER FUTURE GUIDANCE DOCUMENT 1 MARKET BUILDING VIEW A SAFER SPRING FUTURE 2018 GUIDANCE DOCUMENT OUR PART IN BUILDING A SAFER FUTURE The final report of the Independent Review of Building
More informationM&S Requirements and VV&A: What s the Relationship?
M&S Requirements and VV&A: What s the Relationship? Dr. James Elele - NAVAIR David Hall, Mark Davis, David Turner, Allie Farid, Dr. John Madry SURVICE Engineering Outline Verification, Validation and Accreditation
More informationCover Page. The handle holds various files of this Leiden University dissertation.
Cover Page The handle http://hdl.handle.net/1887/50157 holds various files of this Leiden University dissertation. Author: Mair, C.S. Title: Taking technological infrastructure seriously Issue Date: 2017-06-29
More informationESSENTIAL PROCESS SAFETY MANAGEMENT FOR MANAGING MULTIPLE OIL AND GAS ASSETS
ESSENTIAL PROCESS SAFETY MANAGEMENT FOR MANAGING MULTIPLE OIL AND GAS ASSETS John Hopkins, Wood Group Engineering Ltd., UK The paper describes a tool and process that shows management where to make interventions
More informationBLM S LAND USE PLANNING PROCESS AND PUBLIC INVOLVEMENT OPPORTUNITIES STEP-BY-STEP
BLM ACTION CENTER www.blmactioncenter.org BLM S LAND USE PLANNING PROCESS AND PUBLIC INVOLVEMENT OPPORTUNITIES STEP-BY-STEP Planning What you, the public, can do the Public to Submit Pre-Planning During
More informationFrom Future Scenarios to Roadmapping A practical guide to explore innovation and strategy
Downloaded from orbit.dtu.dk on: Dec 19, 2017 From Future Scenarios to Roadmapping A practical guide to explore innovation and strategy Ricard, Lykke Margot; Borch, Kristian Published in: The 4th International
More informationDesign Rationale as an Enabling Factor for Concurrent Process Engineering
612 Rafael Batres, Atsushi Aoyama, and Yuji NAKA Design Rationale as an Enabling Factor for Concurrent Process Engineering Rafael Batres, Atsushi Aoyama, and Yuji NAKA Tokyo Institute of Technology, Yokohama
More informationFor convenience and ease of reference I have copied below the comments (retaining their spelling) classifying them into positive and negative.
The proposal Climate, Hydrology, Energy, Water: the Conversion of Uncertainty Domination and Risk Into Sustainable Evolution (CHEWtheCUDandRISE), submitted to the ERC IDEAS Grant Scheme, passed the thresholds
More informationEXECUTIVE BOARD MEETING METHODOLOGY FOR DEVELOPING STRATEGIC NARRATIVES
EXECUTIVE BOARD MEETING METHODOLOGY FOR DEVELOPING STRATEGIC NARRATIVES EXECUTIVE BOARD MEETING METHODOLOGY FOR DEVELOPING STRATEGIC NARRATIVES 1.Context and introduction 1.1. Context Unitaid has adopted
More informationSMR Conference Manchester 2014 Regulator s view UK and International. Bob Jennings Systems Lead for ONR s Generic Design Assessment (GDA)
SMR Conference Manchester 2014 Regulator s view UK and International Bob Jennings Systems Lead for ONR s Generic Design Assessment (GDA) Contents Approach to New Nuclear Build Regulation in Great Britain:
More informationINTERNATIONAL CONFERENCE ON ENGINEERING DESIGN ICED 03 STOCKHOLM, AUGUST 19-21, 2003
INTERNATIONAL CONFERENCE ON ENGINEERING DESIGN ICED 03 STOCKHOLM, AUGUST 19-21, 2003 A KNOWLEDGE MANAGEMENT SYSTEM FOR INDUSTRIAL DESIGN RESEARCH PROCESSES Christian FRANK, Mickaël GARDONI Abstract Knowledge
More informationAN INTERROGATIVE REVIEW OF REQUIREMENT ENGINEERING FRAMEWORKS
AN INTERROGATIVE REVIEW OF REQUIREMENT ENGINEERING FRAMEWORKS MUHAMMAD HUSNAIN, MUHAMMAD WASEEM, S. A. K. GHAYYUR Department of Computer Science, International Islamic University Islamabad, Pakistan E-mail:
More informationMasao Mukaidono Emeritus Professor, Meiji University
Provisional Translation Document 1 Second Meeting Working Group on Voluntary Efforts and Continuous Improvement of Nuclear Safety, Advisory Committee for Natural Resources and Energy 2012-8-15 Working
More informationStandards for High-Quality Research and Analysis C O R P O R A T I O N
Standards for High-Quality Research and Analysis C O R P O R A T I O N Perpetuating RAND s Tradition of High-Quality Research and Analysis For more than 60 years, the name RAND has been synonymous with
More informationBy RE: June 2015 Exposure Draft, Nordic Federation Standard for Audits of Small Entities (SASE)
October 19, 2015 Mr. Jens Røder Secretary General Nordic Federation of Public Accountants By email: jr@nrfaccount.com RE: June 2015 Exposure Draft, Nordic Federation Standard for Audits of Small Entities
More informationIsrael Railways No Fault Liability Renewal The Implementation of New Technological Safety Devices at Level Crossings. Amos Gellert, Nataly Kats
Mr. Amos Gellert Technological aspects of level crossing facilities Israel Railways No Fault Liability Renewal The Implementation of New Technological Safety Devices at Level Crossings Deputy General Manager
More informationA NEW METHODOLOGY FOR SOFTWARE RELIABILITY AND SAFETY ASSURANCE IN ATM SYSTEMS
27 TH INTERNATIONAL CONGRESS OF THE AERONAUTICAL SCIENCES A NEW METHODOLOGY FOR SOFTWARE RELIABILITY AND SAFETY ASSURANCE IN ATM SYSTEMS Daniela Dell Amura, Francesca Matarese SESM Sistemi Evoluti per
More informationAn Ontology for Modelling Security: The Tropos Approach
An Ontology for Modelling Security: The Tropos Approach Haralambos Mouratidis 1, Paolo Giorgini 2, Gordon Manson 1 1 University of Sheffield, Computer Science Department, UK {haris, g.manson}@dcs.shef.ac.uk
More informationDesign Science Research Methods. Prof. Dr. Roel Wieringa University of Twente, The Netherlands
Design Science Research Methods Prof. Dr. Roel Wieringa University of Twente, The Netherlands www.cs.utwente.nl/~roelw UFPE 26 sept 2016 R.J. Wieringa 1 Research methodology accross the disciplines Do
More informationSAFETY CASE ON A PAGE
SAFETY CASE ON A PAGE Dr Sally A. Forbes, Nuclear Safety Department, AWE, Aldermaston, Reading, Berkshire RG7 4PR, UK Keywords: Safety Case, SHAPED, Hazard Awareness Introduction Safety Case on a Page
More informationBuilding a Preliminary Safety Case: An Example from Aerospace
Building a Preliminary Safety Case: An Example from Aerospace Tim Kelly, Iain Bate, John McDermid, Alan Burns Rolls-Royce Systems and Software Engineering University Technology Centre Department of Computer
More informationSolutions to selected exercises
1 Software Engineering 8 th edition Solutions to selected exercises These solutions are made available for instructional purposes only. They may only be distributed to students and it is a condition of
More informationMAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A
MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A BROADER APPROACH TO SAFETY ASSESSMENT D Fowler*, E Perrin R Pierce * EUROCONTROL, France, derek.fowler.ext@ eurocontrol.int EUROCONTROL, France, eric.perrin@eurocontrol.int
More informationInformation and Communications Technology and Environmental Regulation: Critical Perspectives
Image: European Space Agency Information and Communications Technology and Environmental Regulation: Critical Perspectives Rónán Kennedy School of Law, National University of Ireland Galway ronan.m.kennedy@nuigalway.ie
More informationTHREAT ANALYSIS FOR THE TRANSPORT OF RADIOACTIVE MATERIAL USING MORPHOLOGICAL ANALYSIS
Proceedings of the 15th International Symposium on the Packaging and Transportation of Radioactive Materials PATRAM 2007 October 21-26, 2007, Miami, Florida, USA THREAT ANALYSIS FOR THE TRANSPORT OF RADIOACTIVE
More information24 Challenges in Deductive Software Verification
24 Challenges in Deductive Software Verification Reiner Hähnle 1 and Marieke Huisman 2 1 Technische Universität Darmstadt, Germany, haehnle@cs.tu-darmstadt.de 2 University of Twente, Enschede, The Netherlands,
More informationImpacts of Forced Serious Game Play on Vulnerable Subgroups
Impacts of Forced Serious Game Play on Vulnerable Subgroups Carrie Heeter Professor of Telecommunication, Information Studies, and Media Michigan State University heeter@msu.edu Yu-Hao Lee Media and Information
More informationLICENSING THE PALLAS-REACTOR USING THE CONCEPTUAL SAFETY DOCUMENT
LICENSING THE PALLAS-REACTOR USING THE CONCEPTUAL SAFETY DOCUMENT M. VISSER, N.D. VAN DER LINDEN Licensing and compliance department, PALLAS Comeniusstraat 8, 1018 MS Alkmaar, The Netherlands 1. Abstract
More informationWorking Group 2 Arms Control
Working Group 2 Arms Control Chairs: Mona Dreicer (LLNL) and Martin Morgan- Reading (AWE) Rapporteurs: Bonnie Canion (NNSA), Lance Garrison (NNSA), Peter Marleau (SNL) In today s complex national security
More informationHELPING THE DESIGN OF MIXED SYSTEMS
HELPING THE DESIGN OF MIXED SYSTEMS Céline Coutrix Grenoble Informatics Laboratory (LIG) University of Grenoble 1, France Abstract Several interaction paradigms are considered in pervasive computing environments.
More informationEXPERIENCES OF IMPLEMENTING BIM IN SKANSKA FACILITIES MANAGEMENT 1
EXPERIENCES OF IMPLEMENTING BIM IN SKANSKA FACILITIES MANAGEMENT 1 Medina Jordan & Howard Jeffrey Skanska ABSTRACT The benefits of BIM (Building Information Modeling) in design, construction and facilities
More informationComputer Science: Disciplines. What is Software Engineering and why does it matter? Software Disasters
Computer Science: Disciplines What is Software Engineering and why does it matter? Computer Graphics Computer Networking and Security Parallel Computing Database Systems Artificial Intelligence Software
More informationNUCLEAR SAFETY AND RELIABILITY
Nuclear Safety and Reliability Dan Meneley Page 1 of 1 NUCLEAR SAFETY AND RELIABILITY WEEK 12 TABLE OF CONTENTS - WEEK 12 1. Comparison of Risks...1 2. Risk-Benefit Assessments...3 3. Risk Acceptance...4
More informationGender pay gap reporting tight for time
People Advisory Services Gender pay gap reporting tight for time March 2018 Contents Introduction 01 Insights into emerging market practice 02 Timing of reporting 02 What do employers tell us about their
More informationThe standard Core Curriculum rubrics will be used to assess the Arts and Humanities goals AH o and AH p:
German 01:470:358 Expressionism, Dada, Surrealism Methods of assessment The standard Core Curriculum rubrics will be used to assess the Arts and Humanities goals AH o and AH p: AH o. Examine critically
More informationThe Language of System Safety Engineering: Loose Language Surrounding ALARP
The Language of System Safety Engineering: Loose Language Surrounding ALARP Tracy A. White AMOG Consulting, Sea Technology House, Monash Business Park, 19 Business Park Drive, Notting Hill 3168, Victoria
More informationExploring emerging ICT-enabled governance models in European cities
Exploring emerging ICT-enabled governance models in European cities EXPGOV Project Research Plan D.1 - FINAL (V.2.0, 27.01.2009) This document has been drafted by Gianluca Misuraca, Scientific Officer
More informationComplexity, Evolutionary Economics and Environment Policy
Complexity, Evolutionary Economics and Environment Policy Koen Frenken, Utrecht University k.frenken@geo.uu.nl Albert Faber, Netherlands Environmental Assessment Agency albert.faber@pbl.nl Presentation
More informationMethodology for Agent-Oriented Software
ب.ظ 03:55 1 of 7 2006/10/27 Next: About this document... Methodology for Agent-Oriented Software Design Principal Investigator dr. Frank S. de Boer (frankb@cs.uu.nl) Summary The main research goal of this
More informationGame Mechanics Minesweeper is a game in which the player must correctly deduce the positions of
Table of Contents Game Mechanics...2 Game Play...3 Game Strategy...4 Truth...4 Contrapositive... 5 Exhaustion...6 Burnout...8 Game Difficulty... 10 Experiment One... 12 Experiment Two...14 Experiment Three...16
More informationFinal Project Report. Abstract. Document information
Final Project Report Document information Project Title Safety Research Project Number 16.01.00 Project Manager EUROCONTROL Deliverable Name Final Project Report Deliverable ID D04.017 Edition 00.01.00
More informationStandards for 14 to 19 education
citb.co.uk Standards for 14 to 19 education The advisory committee for 14 to 19 construction and the built environment education Contents Background 3 Purpose 4 14 to 19 standards and guidance on the design
More informationNon-Violation Complaints in WTO Law
Studies in global economic law 9 Non-Violation Complaints in WTO Law Theory and Practice von Dae-Won Kim 1. Auflage Non-Violation Complaints in WTO Law Kim schnell und portofrei erhältlich bei beck-shop.de
More informationSystems. Professor Vaughan Pomeroy. The LRET Research Collegium Southampton, 11 July 2 September 2011
Systems by Professor Vaughan Pomeroy The LRET Research Collegium Southampton, 11 July 2 September 2011 1 Systems Professor Vaughan Pomeroy December 2010 Icebreaker Think of a system that you are familiar
More informationTransitioning UPDM to the UAF
Transitioning UPDM to the UAF Matthew Hause (PTC) Aurelijus Morkevicius Ph.D. (No Magic) Graham Bleakley Ph.D. (IBM) Co-Chairs OMG UPDM Group OMG UAF Information day March 23 rd, Hyatt, Reston Page: 1
More informationMde Françoise Flores, Chair EFRAG 35 Square de Meeûs B-1000 Brussels Belgium January Dear Mde.
Deloitte Touche Tohmatsu Limited 2 New Street Square London EC4A 3BZ Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198 www.deloitte.com Direct: +44 20 7007 0884 Direct Fax: +44 20 7007 0158 vepoole@deloitte.co.uk
More informationMetrics and Methodologies for Assessment of Proliferation Risk
Metrics and Methodologies for Assessment of Proliferation Risk Workshop on Improving the Assessment of Proliferation Risk of Nuclear Fuel Cycles National Academies Washington, DC August 1-2, 2011 Robert
More informationDistributed Systems Programming (F21DS1) Formal Methods for Distributed Systems
Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh
More informationIndustrial Experience with SPARK. Praxis Critical Systems
Industrial Experience with SPARK Roderick Chapman Praxis Critical Systems Outline Introduction SHOLIS The MULTOS CA Lockheed C130J A less successful project Conclusions Introduction Most Ada people know
More informationFormal Methods and Critical Systems In the Real World
Appears as Appendix C.1, pages 121 125 in Dan Craigen and Karen Summerskill, editors, Formal Methods for Trustworthy Computer Systems (FM89), Halifax, Nova Scotia, Canada, July 1989. Springer-Verlag Workshops
More informationImplementation of the integrated emerging contractor development model: Towards enhanced competition for small construction firms
Implementation of the integrated emerging contractor development model: Towards enhanced competition for small construction firms WS DLUNGWANA*, E ROUX, L SETSWALO, S LAZARUS *CSIR Built Environment Research
More informationTulips, Potatoes, Apples, ISO 9001 and the CMMI
Your Catalyst to Enhanced Awareness Process Technology Results Tulips, Potatoes, Apples, ISO 9001 and the CMMI Nelson Perez July 28, 2009 Topics Influence Enabling Successful Improvement Not Just Man Over
More informationA Safety Case Approach to Assuring Configurable Architectures of Safety-Critical Product Lines
A Safety Case Approach to Assuring Configurable Architectures of Safety-Critical Product Lines Ibrahim Habli and Tim Kelly, Department of Computer Science, University of York, United Kingdom {Ibrahim.Habli,
More informationModelling Critical Context in Software Engineering Experience Repository: A Conceptual Schema
Modelling Critical Context in Software Engineering Experience Repository: A Conceptual Schema Neeraj Sharma Associate Professor Department of Computer Science Punjabi University, Patiala (India) ABSTRACT
More informationArguing Safety A Systematic Approach to Managing Safety Cases. Timothy Patrick Kelly
Arguing Safety A Systematic Approach to Managing Safety Cases Timothy Patrick Kelly Submitted for the degree of Doctor of Philosophy University of York Department of Computer Science September 1998 For
More informationResilience Engineering: The history of safety
Resilience Engineering: The history of safety Professor & Industrial Safety Chair MINES ParisTech Sophia Antipolis, France Erik Hollnagel E-mail: erik.hollnagel@gmail.com Professor II NTNU Trondheim, Norge
More informationREDUCING OUR IGNORANCE: FINDING ANSWERS TO CERTAIN EPISTEMIC QUESTIONS FOR SOFTWARE SYSTEMS
REDUCING OUR IGNORANCE: FINDING ANSWERS TO CERTAIN EPISTEMIC QUESTIONS FOR SOFTWARE SYSTEMS C. M. Holloway*, C. W. Johnson *NASA Langley Research Center, Hampton, Virgínia, USA, C.Michael.Holloway@nasa.gov
More information