[SystemSafety] Maintaining Safety Cases Over Time

[Robin Cook]

Hi Carl,

 

My first thought is that this is very similar to the life extension safety
case or the increased fleet size requirement but with increased
functionality. As such we often come across it and it is one that I, and I
am sure many others, have come across fairly often.

 

I suggest that the key is in how the safety requirement is written. The HSE
wording of "risk to each hypothetical person" works very well. If you
increase the number of instances of System X then you are likely to increase
the number of users in proportion. The same thinking works for life
extension. However with functionality change, you may need to change the
interpretation of the high level safety requirement. If you have the MOD
style requirement based on incident probabilities with the fleet then you
are back to the beginning with a new safety requirement each time. The
saving grace is that the changes above the line tend have a common
multiplier with that below the line. 

 

I will agree that this suggestion comes from my dislike of the MOD approach
to requirement setting and my view that the risk matrix is a gross
approximation that has done the MOD more disservice than service.

 

Best regards

Robin Cook

Thales Cyber and Consulting

 

And of course these views are my own and may not reflect the views of Thales
Cyber and Consulting or any customer.

 

From: systemsafety
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Carl Sandom
Sent: 04 October 2016 15:56
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: [SystemSafety] Maintaining Safety Cases Over Time

 

I have an interesting challenge relating to the development and maintenance
of an evolving Safety Case for a complex system over the medium to long
term. I apologise in advance for the loose use of the terms 'system' and
'integrate' here.

 

A core system (call it System X) was developed over a number of years along
with a Safety Case and it is now in service. Over time, other 'systems' are
being connected to System X (Systems Y or Z) to either replace existing
functionality or to introduce new functionality. I don't mean System X
software updates here; I'm referring to the connection of other systems that
are developed independently.

 

Even when Systems Y or Z have existing Safety Cases, the System X Safety
Case requires significant effort to update each time a new system is
integrated. Assuming a hazard analysis reveals no new hazards following
integration, the impact of the integration on the System X Safety Case will
still affect the quantitative aspects in particular (safety targets
apportionment and integrity claims).

 

This can lead to a situation whereby System X and System Y can independently
support a SIL x claim; but the integration of the two systems results in
System X + Y not achieving the required safety target.

 

Does anyone have any experiences and/or advice to offer on how to deal with
this scenario?

 

Best Regards

Carl Sandom

iSys Integrity Ltd.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161121/a9b46a2e/attachment.html>