The Safety Case. Structure of Safety Cases Safety Argument Notation

Similar documents
The Safety Case. The safety case

D-Case Modeling Guide for Target System

Understanding safety life cycles

A study on the relation between safety analysis process and system engineering process of train control system

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Using what we have. Sherman Eagles SoftwareCPR.

EUROCONTROL Guidance Material for Area Proximity Warning Appendix B-1: Initial Safety Argument for APW System

Safety-Critical Systems

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

18-642: Safety Plan 11/1/ Philip Koopman

New Thinking in Control Reliability

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Safety-critical systems: Basic definitions

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

Every things under control High-Integrity Pressure Protection System (HIPPS)

Distributed Control Systems

George Cleland 6 th December 2011

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Traditional Approaches to Risk Management and Medical Device Software. Are They Good Enough? Can We Do Better?

Session: 14 SIL or PL? What is the difference?

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

'Dipartimento di Ingegneria Elettrica, Universita di Genova Via all 'Opera Pia, lla Genova, Italy

EUROPEAN GUIDANCE MATERIAL ON INTEGRITY DEMONSTRATION IN SUPPORT OF CERTIFICATION OF ILS AND MLS SYSTEMS

Implementing IEC Standards for Safety Instrumented Systems

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

Risk Management Qualitatively on Railway Signal System

Adaptability and Fault Tolerance

Failure Modes, Effects and Diagnostic Analysis

Hazard Identification

Critical Systems Validation

SYSTEM SAFETY REQUIREMENTS

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

CT433 - Machine Safety

Safety Critical Systems

1309 Hazard Assessment Fundamentals

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

Safety Manual VEGAVIB series 60

Hands-On System Safety Basics, Focused on FHA

Introduction to Machine Safety Standards

Human-robot interactions: model-based risk analysis and safety case construction

Assurance Cases for Medical Devices

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Marine Risk Assessment

Fire, Explosion and Risk Assessment Topic Guidance Issue 1

Review and Assessment of Engineering Factors

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Safety Manual VEGAVIB series 60

Failure Modes, Effects and Diagnostic Analysis

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Regulatory Review of Safety Assessment for Decommissioning of Facilities Using Radioactive Material

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

XVII Congreso de Confiabilidad

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

Engineering Safety into the Design

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Safety of railway control systems: A new Preliminary Risk Analysis approach

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Failure Modes, Effects and Diagnostic Analysis

RISK ASSESSMENT GUIDE

The RCM Analyst - Beyond RCM

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Top 5 system engineers omissions that make safety engineer s lives harder

Failure modes and models

CORK INSTITUTE OF TECHNOLOGY INSTITIÚID TEICNEOLAÍOCHTA CHORCAÍ. Semester 2 Examinations 2010

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

PL estimation acc. to EN ISO

Achieving Compliance in Hardware Fault Tolerance

The IEC61508 Inspection and QA Engineer s hymn sheet

The Best Use of Lockout/Tagout and Control Reliable Circuits

Real-Time & Embedded Systems

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen

(DD/MMM/YYYY): 10/01/2013 IP

Smart motorways all lane running Generic safety report

CONTENTS OF THE PCSR CHAPTER 1 - INTRODUCTION AND GENERAL DESCRIPTION

Accelerometer mod. TA18-S. SIL Safety Report

Safety Risk Assessment Worksheet Title of Risk Assessment Risk Assessment Performed By: Date: Department:

So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment

Tools for safety management Effectiveness of risk mitigation measures. Bernhard KOHL

C o d i n g f o r i n t e r a C t i v e d i g i t a l M e d i a

Probability Risk Assessment Methodology Usage on Space Robotics for Free Flyer Capture

INSTITUTIONAL REVIEW BOARD (IRB) PROCEDURES

Capturing an Uncertain Future: The Functional Resonance Accident Model

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

PRACTICAL EXAMPLES ON CSM-RA

Release: 1. UEPOPL002A Licence to operate a reciprocating steam engine

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

Risk Management Series Article 8: Risk Control

2016 American Academy of Actuaries. All rights reserved. May not be reproduced without express permission. ADDITIONAL LIABILITY ASSUMPTION OVERVIEW

The Meaning and Context of Safety Integrity Targets

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

Workshop Functional Safety

Solenoid Valves For Gas Service FP02G & FP05G

Bespoke Hydraulic Manifold Assembly

Transcription:

The Safety Case Structure of Safety Cases Safety Argument Notation Budapest University of Technology and Economics Department of Measurement and Information Systems

The safety case Definition (core): The documented demonstration that the product complies with the safety requirements Role: o A safety case should communicate a comprehensive and defensible argument that a system is acceptably safe to operate in a particular context o Condition for safety acceptance and approval To be prepared by: Developers and/or operators To be accepted by: Safety authority and/or customer Principal elements: o Safety requirements (goals, objectives) o Arguments (relations) o Evidences Analysis results (e.g., FTA, FMEA) Formal verification Test results 2

Standard structure of a safety case Conditions for safety acceptance o Evidence of quality management o Evidence of safety management o Evidence of technical safety Structured presentation of evidence and arguments Example: EN50129 (railway) o Part 1: Definition of the system o Part 2: Quality management report o Part 3: Safety management report o Part 4: Technical safety report o Part 5: Related safety cases o Part 6: Conclusion 3

Quality related parts of the safety case Part 2: Quality management report o Minimize the incidence of human errors at each stages in the lifecycle: Reduce the risk of systematic faults Part 3: Safety management report 1. Safety lifecycle: From requirements to validation 2. Safety organization: Roles and competence 3. Safety plan: Activities and approval milestones + review 4. Hazard log: Hazards + risks + risk control 5. Safety requirements 6. System design 7. Safety reviews 8. Safety verification and validation 9. Safety justification 10. System handover (to authority) 11. Operation and maintenance 12. Decommission and disposal 5

Technical parts of the safety case Part 4: Technical safety report 1. Introduction: o Summary of technical principles and standards 2. Assurance of correct functional operation o Architecture, interfaces, fulfillment of requirements, assurance of correct hardware and software behavior 3. Effects of faults o o Random hardware faults: Quantified safety target o Detection, actions after detection, effects, independence, multiple faults Systematic faults: Risk reduction 4. Operation with external influences o Demonstration of operability and safety 5. Safety-related application conditions o Rules, conditions, constraints 6. Safety qualification tests o Evidence to demonstrate completion 6

Safety argumentation 8

Communicating safety arguments Typical: Free text o Structured form (items, enumerations, references) o Complex arguments are difficult to describe Review, management, tracking, coordination is difficult Graphical notation: Goal Structuring Notation o Elements of safety arguments o Relationships between the elements? 9

Elements Goal: Objective, claim about the system o Compliance with requirements o Sufficient mitigation / avoidance of hazards o Without evidence it is unfounded! Strategy: Decomposition method o Derivation of sub-goals Evidence (solution) o Results of observation, analysis, test, simulation, o Fundamental information from which safety can be inferred Context o Context of demonstrating safety Assumption or Justification o Limits, conditions etc. Undeveloped goal o Further development is necessary 10

Relations Is solved by o Applied between goals, strategies, evidences In context of o Applied between contexts / assumptions / justifications and other elements Context Assumption 11

Overview of safety argumentation Safety Requirements & Objectives Control System is Safe Hazards Identified from FHA (Ref Y) Tolerability targets (Ref Z) All identified hazards eliminated / sufficiently mitigated Safety Argument Software developed to I.L. appropriate to hazards involved I.L. Process Guidelines defined by Ref X. 1x10-6 p.a. limit for Catastrophic Hazards J H1 has been eliminated Probability of H2 occurring < 1 x 10-6 per annum Probability of H3 occurring < 1 x 10-3 per annum Primary Protection System developed to I.L. 4 Secondary Protection System developed to I.L. 2 Formal Verification Safety Evidence Fault Tree Analysis Process Evidence of I.L. 4 Process Evidence of I.L. 2 Source: T. Kelly 12

Evolution of the goal structure 13

Steps of safety case construction Source: T. Kelly 14

Safety arguments for hardware 15

Safety arguments for software Software SIL: Required techniques and measures form arguments and evidences Example: Guidelines followed for SIL4 o Formal specification o Formal verification of functionality o Formal verification of timing 16

An example goal structure Evidences: Test results, state machine analysis, fault tree analysis, directed testing 17

Generic goal structure I.L.: Integrity Level FHA: Functional Hazard Assessment 18

Safety case patterns Combines argumentation and patterning o Supports the re-use of successful argument approaches (best practice) o Focus on semantics rather than the syntax of the safety case GSN extensions to support capturing patterns o Multiplicity o Instantiation o Develop o Instantiation and develop o Choice 19

Example of a GSN pattern Decomposition on the basis of system functions G1: {System X} is Safe Provides {Function Y} Multiplicity S1: Argument by claiming safety of all system safety-related functions n C1: Safety Related Functions of {System X} (n = # functions) To be instantiated Choose To be instantiated and developed G2: {Function Y} is safe G3: Interactions between system functions are non-hazardous G4: All system functions are independent (no interactions) To be developed 20

The Fault Tree pattern How a fault tree analysis can be used as evidence 21

ALARP: As Low As Reasonably Practicable o No intolerable risk o All tolerable risks have reduced as low as reasonably practicable o All remaining hazards have negligible risks The ALARP pattern 22

Modular safety cases Goal: Modular, compositional construction of safety cases (corresponding to system structure) Partitioning of modules o Vertical (hierarchical) partitioning Claims of one argument are objectives of another E.g., case split of system and software safety case o Horizontal partitioning One argument providing the assumed context of another E.g., All system hazards have been identified provides assumed context of an argument that All identified system hazards have been sufficiently mitigated Module interfaces o Dependency of objectives, evidence, context of other modules 23

Principle of safety case interface Goals Supported 'Away' Goal 'Away' Context Context Defined Safety Case Module Context Defined Evidence Presented Goal to be Supported 'Away' Solution 'Away' Goal 24

Example of a modular safety case fig 1 Elements: Safety case modules SysAccSafe {System X} is acceptably safe Away goals SRFunctions Safety Related functions of {System X} FnASafe Function A operation is acceptably safe ArgOverFunctions Argument over all identified safety related functions of {System X} FnBSafe Function B operation is acceptably safe FnCSafe FunctionsInd All functions are independent Function C operation is acceptably safe IndependenceArg FnBArgument FnAArgument Safety Argument for Function A 25

Management of safety cases Example: Change of the context of hazard logs (e.g., change of probability of hazards in other context) 27

Advantages and disadvantages of GSN Advantages: o Simple elements Captures the elements most important to safety arguments o Structured hierarchical breakdown Method guidance exists o Semantics well defined and understood (first order logic) o Can be used at various stages of argument development o Increasingly being adopted by companies Disadvantages: o Easy to read, harder to write o Doesn t stop you writing bad arguments 28

Other approaches ASCAD: Adelard Safety Claims Arguments Data o Claim: Assertion to be proven o Argument: How evidence supports claim o Evidence: Required observation, analysis, test, Claim Argument Evidence Claim Claim Argument Evidence 29

Assurance cases o Safety cases o Security cases o Dependability cases Definition Generalization o A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims regarding a system s properties are adequately justified for a given application in a given environment Examples of using assurance cases o Security-critical applications: Based on Common Criteria o Medical devices: Based on ISO 14971 30

Supporting tools Adelard Safety Case Editor (ASCE) o Adelard, www.adelard.co.uk o Supports both GSN and ASCAD E-Safety Case o Praxis HIS, www.esafetycase.com GSN CaseMaker o ERA Technology, www.era.co.uk ISCADE (Integrated Safety Case Development Environment) o RCM2, www.iscade.co.uk ISIS o High Integrity Solutions, www.highintegritysolutions.com Freeware Visio Add-on o University of York, http://www.cs.york.ac.uk/~tpk/gsn/gsnaddoninstaller.zip 33

Summary Structure of safety cases o Evidence of quality management o Evidence of safety management o Evidence of technical safety Safety argumentation presented using the Goal Structuring Notation o Elements: Evidence, Strategy, Goal, Context o Patterns o Modular safety arguments o Maintenance of safety arguments Generalization: Assurance cases 35

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback