[SystemSafety] Maintaining Safety Cases Over Time

Matthew Squair mattsquair at gmail.com
Fri Oct 7 10:21:01 CEST 2016 

Hi Carl,

As you are aware, in aviation the traditional approach to this has been to
certify the whole, i.e. the FAA/EASA steps in to certify engines and
aircraft because it's so difficult to certify a component then add it to
another and make valid arguments about the whole, without thinking about
(and certifying) the whole. Aircraft cert status = TC+STC1,STC2...

But I believe what you're thinking about is the compositionability of the
system. If you can argue a guarantee of stringent separation of components
you can then combine these parts and preserve system safety properties.
Integrated Modular Architecture as an example.

I believe John Rushby has been looking at these sort of questions with an
eye towards ad-hoc systems building. Might be worthwhile having a look at
his pubs page? After all this sounds like an ad hoc approach.

All that being said, I'm not sure how much mileage you'll get, you may not
be able to get there from here to quote that Louisiana farmer.



On Wed, Oct 5, 2016 at 1:56 AM, Carl Sandom <carl at isys-integrity.com> wrote:

> I have an interesting challenge relating to the development and
> maintenance of an evolving Safety Case for a complex system over the medium
> to long term. I apologise in advance for the loose use of the terms
> ‘system’ and ‘integrate’ here.
>
>
>
> A core system (call it System X) was developed over a number of years
> along with a Safety Case and it is now in service. Over time, other
> ‘systems’ are being connected to System X (Systems Y or Z) to either
> replace existing functionality or to introduce new functionality. I don’t
> mean System X software updates here; I’m referring to the connection of
> other systems that are developed independently.
>
>
>
> Even when Systems Y or Z have existing Safety Cases, the System X Safety
> Case requires significant effort to update each time a new system is
> integrated. Assuming a hazard analysis reveals no new hazards following
> integration, the impact of the integration on the System X Safety Case will
> still affect the quantitative aspects in particular (safety targets
> apportionment and integrity claims).
>
>
>
> This can lead to a situation whereby System X and System Y can
> independently support a SIL x claim; but the integration of the two systems
> results in System X + Y not achieving the required safety target.
>
>
>
> Does anyone have any experiences and/or advice to offer on how to deal
> with this scenario?
>
>
>
> Best Regards
>
> Carl Sandom
>
> iSys Integrity Ltd.
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>


-- 
*Matthew Squair*
BEng (Mech) MSysEng
MIEAust CPEng

Mob: +61 488770655
Email: MattSquair at gmail.com
Website: www.criticaluncertainties.com <http://criticaluncertainties.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161007/836ee66e/attachment.html>

More information about the systemsafety mailing list