Hazard Management for Hazard Management for Safety Critical SystemsSafety Critical Systems

Philip Benjamin

Supervised by: Dr. David Hemer

Computer Science Department

University Of Adelaide

Abstract of talk Safety critical systems increasingly used in

industries Regulated by safety standards

Require tool support for hazard management Existing tools have limitations Aim to address these limitations

Data model for hazard management Existing model New improved model

Require tracking and managing hazards Lots of data Complex inter-relationships

Talk Outline

Terminology: Hazards, risk, safety integrity

levels, etc Existing tools

HazLog Cassandra

Explain the existing data model for HazLog and the proposed conceptual data model

Reference Material

Def(Aust) 5679 Australian Defense Standard for Procurement of Computer-Based Safety Critical Systems

UK MOD 00-56 Safety Management Requirements for Defense Systems, U.K. Ministry of Defense

Neil Storey Safety Critical Computer Systems

HazLog Tool support for hazard management, Australian Workshop on Industrial Experience with Safety Critical Systems

Terms in Safety Critical Systems Accident: An unintended event or sequence of events

that causes death, injury, or damage

Hazard: A situation in which there is actual or potential danger to people or the environment

Risk: A combination of the frequency or probability of a specified hazardous event, and its consequence

Risk Assessment: Assessed by providing levels of integrity and levels of trust to the systems

Hazard Analysis Range of techniques that provides insight into

characteristics of the system under investigation

Event tree analysis (ETA) Start with all possible outcomes and work forward to

determine their outcomes Fault tree analysis (FTA)

Start with all identified hazards and work backward to determine their possible causes

Logical operators are used to combined the effect of events

Data from other earlier accidents/incidents from similar system in service can be used as starting point

Existing Tools Cassandra

Supports Def Stan 00-56, MIL-STD-882C Has one kind of risk

Safety Integrity Level’s (SIL) HazLog

Supports Def(Aust) 5679 Two levels of hazards

System Hazard Component Hazard

Risk allocation Level Of Trust (LOT) Safety Integrity Level’s (SIL)

HazLog: Initial Data Model

HazLog Limitations

Incompatibility of this tool with standards other than Def(Aust) 5679 e.g. Two separate risk allocations

Only supports two levels of hazards May want to support more levels e.g. Systems of systems

New Conceptual Data Model

Analysis of the new Data Model

There is one type of generic hazard - can be either system or component hazard

Cutsets model relationships between hazards parent or child

The occurrence of a loop in the model could result in a graph Child node can also become a parent node of

another parent node above its level

Project Plan

Week 1 to 6: Initial report Week 7: Presentation with a 15 min talk Milestones:

1st Milestone: (Week 9) Initial requirements and analysis (What the tool must be doing)

2nd Milestone: (Week 11) Initial Design (Drawing entity-relationship diagrams)

3rd Milestone: (Week 3 Semester 2) Prototype 4th Milestone: (Week 5 Semester 2) Case Study to work out

the gaps using “aircraft safety” 5th Milestone: (Week 7 Semester 2) Final Design

Final Presentation (1 week) Final Report (Last 4 weeks of Semester 2)

Conclusion

Safety critical software require hazard management

Tool required Current tools have limitations Aim to address these limitations by

redesigning existing HazLog tool