The Safety Case. The safety case

Similar documents
The Safety Case. Structure of Safety Cases Safety Argument Notation

D-Case Modeling Guide for Target System

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

A study on the relation between safety analysis process and system engineering process of train control system

Using what we have. Sherman Eagles SoftwareCPR.

Understanding safety life cycles

18-642: Safety Plan 11/1/ Philip Koopman

EUROCONTROL Guidance Material for Area Proximity Warning Appendix B-1: Initial Safety Argument for APW System

George Cleland 6 th December 2011

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Failure Modes, Effects and Diagnostic Analysis

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

New Thinking in Control Reliability

Safety-Critical Systems

Every things under control High-Integrity Pressure Protection System (HIPPS)

Safety-critical systems: Basic definitions

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Distributed Control Systems

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Traditional Approaches to Risk Management and Medical Device Software. Are They Good Enough? Can We Do Better?

Session: 14 SIL or PL? What is the difference?

Implementing IEC Standards for Safety Instrumented Systems

Assurance Cases for Medical Devices

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

The IEC61508 Inspection and QA Engineer s hymn sheet

Safety Critical Systems

Critical Systems Validation

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

C o d i n g f o r i n t e r a C t i v e d i g i t a l M e d i a

Failure Modes, Effects and Diagnostic Analysis

Adaptability and Fault Tolerance

CT433 - Machine Safety

'Dipartimento di Ingegneria Elettrica, Universita di Genova Via all 'Opera Pia, lla Genova, Italy

PIQCS HACCP Minimum Certification Standards

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Safety Manual VEGAVIB series 60

Achieving Compliance in Hardware Fault Tolerance

Failure Modes, Effects and Diagnostic Analysis

Introduction to Machine Safety Standards

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Hands-On System Safety Basics, Focused on FHA

Fire, Explosion and Risk Assessment Topic Guidance Issue 1

Risk Management Qualitatively on Railway Signal System

Failure modes and models

Hazard Identification

Safety Manual VEGAVIB series 60

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Functional Safety SIL Safety Instrumented Systems in the Process Industry

RISK ASSESSMENT GUIDE

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

The RCM Analyst - Beyond RCM

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

PL estimation acc. to EN ISO

Regulatory Review of Safety Assessment for Decommissioning of Facilities Using Radioactive Material

SFHGEN77 - SQA Code HD48 04 Perform first line calibration on clinical equipment to ensure it is fit for use

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

PRACTICAL EXAMPLES ON CSM-RA

Workshop Functional Safety

Review and Assessment of Engineering Factors

Accelerometer mod. TA18-S. SIL Safety Report

Failure Modes, Effects and Diagnostic Analysis

Engineering Safety into the Design

EUROPEAN GUIDANCE MATERIAL ON INTEGRITY DEMONSTRATION IN SUPPORT OF CERTIFICATION OF ILS AND MLS SYSTEMS

SYSTEM SAFETY REQUIREMENTS

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

Tools for safety management Effectiveness of risk mitigation measures. Bernhard KOHL

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment

VERIFICATION OF ONSHORE LNG AND GAS FACILITIES

Marine Risk Assessment

Release: 1. UEPOPL002A Licence to operate a reciprocating steam engine

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

2017 LOCKHEED MARTIN CORPORATION. ALL RIGHTS RESERVED

Organisation Management Services (OMS) operating model

CORK INSTITUTE OF TECHNOLOGY INSTITIÚID TEICNEOLAÍOCHTA CHORCAÍ. Semester 2 Examinations 2010

General European OMCL Network (GEON) QUALITY MANAGEMENT DOCUMENT

CRL Processing Rules. Santosh Chokhani March

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

EXPLOSIVE ATMOSPHERES - CLASSIFICATION OF HAZARDOUS AREAS (ZONING) AND SELECTION OF EQUIPMENT

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Real-Time & Embedded Systems

Human-robot interactions: model-based risk analysis and safety case construction

Safety Assessment for Medical Test Lab. Dr. David Endler Systems Engineering Consultant Freelancer & Member of oose eg

Procedure: Pressure equipment safety

DISTRIBUTION LIST. Preliminary Safety Report Chapter 19 Internal Hazards UK HPR1000 GDA. GNS Executive. GNS all staff. GNS and BRB all staff CGN EDF

International Association of Drilling Contractors North Sea Chapter HPHT Guidance on MODU Safety Case Content

APPENDIX A1 - Drilling and completion work programme

Capturing an Uncertain Future: The Functional Resonance Accident Model

Safety Risk Assessment Worksheet Title of Risk Assessment Risk Assessment Performed By: Date: Department:

1309 Hazard Assessment Fundamentals

Solenoid Valves For Gas Service FP02G & FP05G

Bespoke Hydraulic Manifold Assembly

IGEM/TD/2 Edition 2 with amendments July 2015 Communication 1779 Assessing the risks from high pressure Natural Gas pipelines

P r o j e c t M a n a g e M e n t f o r I n t e r a c t I v e D I g I t a l M e D I a

Transcription:

The Safety Case Structure of safety cases Safety argument notation Budapest University of Technology and Economics Department of Measurement and Information Systems The safety case Definition (core): The documented demonstration that the product complies with the safety requirements Role: o A safety case should communicate a comprehensive and defensible argument that a system is acceptably safe to operate in a particular context o Condition for safety acceptance and approval To be prepared by: Developers and/or operators To be accepted by: Safety authority and/or customer Principal elements: o Safety requirements (goals, objectives) o Arguments (relations) o Evidences Analysis results (e.g., FTA, FMEA) Test results 2

Standard structure of a safety case Conditions for safety acceptance o Evidence of quality management o Evidence of safety management o Evidence of technical safety Structured presentation of evidence and arguments (EN50129 railway applications) o Part 1: Definition of the system o Part 2: Quality management report o Part 3: Safety management report o Part 4: Technical safety report o Part 5: Related safety cases o Part 6: Conclusion Quality related parts of the safety case Part 2: Quality management report o 3 Minimize the incidence of human errors at each stages in the lifecycle: Reduce the risk of systematic faults Part 3: Safety management report 1. Safety lifecycle: From requirements to validation 2. Safety organization: Roles and competence 3. Safety plan: Activities and approval milestones + review 4. Hazard log: Hazards + risks + risk control 5. Safety requirements 6. System design 7. Safety reviews 8. Safety verification and validation 9. Safety justification 10. System handover (to authority) 11. Operation and maintenance 12. Decommission and disposal 5

Technical parts of the safety case Part 4: Technical safety report 1. Introduction: o Summary of technical principles and standards 2. Assurance of correct functional operation o Architecture, interfaces, fulfillment of requirements, assurance of correct hardware and software behavior 3. Effects of faults o o Random hardware faults: Quantified safety target o Detection, actions after detection, effects, independence, multiple faults Systematic faults: Risk reduction 4. Operation with external influences o Demonstration of operability and safety 5. Safety related application conditions o Rules, conditions, constraints 6. Safety qualification tests o Evidence to demonstrate completion 6 Safety argumentation 8

Communicating safety arguments Typical: Free text o Structured form (items, enumerations, references) o Complex arguments are difficult to describe Review, management, tracking, coordination is difficult Graphical notation: Goal Structuring Notation? o Elements of safety arguments o Relationships between the elements 9 Elements Goal: Objective, claim about the system o Compliance with requirements o Sufficient mitigation / avoidance of hazards o Without evidence it is unfounded Strategy: Decomposition method o Derivation of sub goals Evidence (solution) o Results of observing, analyzing, testing, simulating o Fundamental information from which safety can be inferred Context o Context of demonstrating safety Assumption or Justification o Limits, conditions etc. Undeveloped goal o Further development is necessary 10

Relations Is solved by o Applied between goals, strategies, evidences In context of o Applied between contexts / assumptions / justifications and other elements Context Assumption Overview of safety argumentation 11 Source: T. Kelly 12

Evolution of the goal structure Steps of safety case construction 13 Source: T. Kelly 14

Safety arguments for hardware Safety arguments for software Software SIL: Required techniques and measures form arguments and evidences 15 16

An example goal structure Generic goal structure 17 18

Safety case patterns Combines argumentation and patterning o Supports the re use of successful argument approaches (best practice) o Focus on semantics rather than the syntax of the safety case GSN extensions to support capturing patterns o Multiplicity o Instantiation o Develop o Instantiation and develop o Choice Example of a GSN pattern 19 Decomposition on the basis of system functions G1: {System X} is Safe Provides {Function Y} S1: Argument by claiming safety of all system safety-related functions C1: Safety Related Functions of {System X} (n = # functions) To be instantiated Multiplicity n Choose To be instantiated and developed G2: {Function Y} is safe G3: Interactions between system functions are non-hazardous G4: All system functions are independent (no interactions) To be developed 20

The Fault Tree pattern How a fault tree analysis can be used as evidence 21 ALARP: As Low As Reasonably Practicable o No intolerable risk o All tolerable risks have reduced as low as reasonably practicable o All remaining hazards have negligible risks The ALARP pattern 22

Modular safety cases Goal: Modular, compositional construction of safety cases (corresponding to system structure) Partitioning of modules o Vertical (hierarchical) partitioning Claims of one argument are objectives of another E.g., case split of system and software safety case o Horizontal partitioning One argument providing the assumed context of another E.g., All system hazards have been identified provides assumed context of an argument that All identified system hazards have been sufficiently mitigated Module interfaces o Dependency of objectives, evidence, context of other modules 23 Principle of safety case interface Goals Supported 'Away' Goal 'Away' Context Context Defined Safety Case Module Context Defined Evidence Presented Goal to be Supported 'Away' Solution 'Away' Goal 24

Example of a modular safety case Elements> Safety case modules SysAccSafe {System X} is acceptably safe Away goals SRFunctions Safety Related functions of {System X} FnASafe Function A operation is acceptably safe ArgOverFunctions Argument over all identified safety related functions of {System X} FnBSafe Function B operation is acceptably safe FnBArgument FnCSafe FunctionsInd All functions are independent IndependenceArg Function C operation is acceptably safe FnAArgument Safety Argument for Function A 25 Safety case contracts Basis of agreement between interrelated safety case modules 26

Management of safety cases Example: Change of the context of hazard logs (e.g., change of probability of hazards in other context) 27 Advantages and disadvantages of GSN Advantages: o Simple elements o Captures the elements most important to safety arguments o Structured hierarchical breakdown o Can be used at various stages of argument development o Method guidance exists (e.g., concerning syntax) o Semantics well defined and understood (first order logic) o Increasingly being adopted by companies Disadvantages: o Easy to read, harder to write o Doesn t stop you writing bad arguments 28

Other approaches ASCAD: Adelard Safety Claims Arguments Data o Claim: Assertion to be proven o Argument: How evidence claim o Evidence: Required observation, analysis, test, Claim Argument Evidence Claim Claim Argument Evidence Assurance cases o Safety cases o Security cases o Dependability cases Definition 29 Generalization o A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims regarding a system s properties are adequately justified for a given application in a given environment Examples of using assurance cases o Security critical applications: Based on Common Criteria o Medical devices: Based on ISO 14971 30

Example: ASCAD in medical devices CLAIM Introduction & Scope Medical Devices Application of risk management to ARGUMENT H.1 Rationale for Clause 1, Scope Is a subclaim of CLAIM 3 General requirements for risk management ARGUMENT H.3 Rationale for Clause 3, General Management requirements for risk ARGUMENT H.4 Rationale for clause 4, Risk analysis Is a subclaim of CLAIM 4 Risk analysis (Steps 1, 2 and 3 of Figure ARGUMENT H.4.1 Risk analysis procedure ARGUMENT H.5 Rationale for Clause 5, Risk evaluation Is a subclaim of CLAIM 5 Risk evaluation Is a subclaim of CLAIM 6 Risk control ARGUMENT H.7 Rationale for Clause 7, Overall residual risk evaluation CLAIM 7 Overall residual risk evaluation (Step11) ARGUMENT H.8 Rationale for Clause 8, Risk management report CLAIM 8 Risk management report (Step 12) ARGUMENT H.9 Post-production information (Step 13) Is a subclaim of Is a subclaim of Is a subclaim of CLAIM 9 Postproduction information (Step 13) 31 Supporting tools Adelard Safety Case Editor (ASCE) o Adelard, www.adelard.co.uk o Supports both GSN and ASCAD E Safety Case o Praxis HIS, www.esafetycase.com GSN CaseMaker o ERA Technology, www.era.co.uk ISCADE (Integrated Safety Case Development Environment) o RCM2, www.iscade.co.uk ISIS o High Integrity Solutions, www.highintegritysolutions.com Freeware Visio Add on o University of York, http://www.cs.york.ac.uk/~tpk/gsn/gsnaddoninstaller.zip 33

Summary Structure of safety cases o Evidence of quality management o Evidence of safety management o Evidence of technical safety Safety argumentation presented using the Goal Structuring Notation o Elements: Evidence, Strategy, Goal, Context o Patterns o Modular safety arguments o Maintenance of safety arguments Generalization: Assurance cases 35

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback