Catálogo de publicaciones - libros

The purpose of this paper is to provide an introduction to the work of the IEE/BCS Independent Safety Assurance Working Group, including what has been achieved to date and looking at what needs to be addressed in the future.

This paper describes one development of a concept that emerged from the Defence and Aerospace Research Partnership to enhance safety arguments by identifying and managing the argument’s dependence on safety evidence.

The paper describes the role of Independent Safety Auditor (ISA) as carried out at the present in the defence and other sectors in the UK. It outlines the way the ISA role has developed over the past 15–20 years with the changing regulatory environment. The extent to which the role comprises audit, assessment or advice is a source of confusion, and the paper clarifies this by means of some definitions, and by elaborating the tasks involved in scrutinising the safety argument for the system. The customers and interfaces for the safety audit are described, and pragmatic means for assessing the competence of IS As are presented.

Production of a formal safety case is a valuable part of the safety management of a safety related system. A safety case is a written justification that the given system will be tolerably safe during installation, commissioning and operation, and in some cases decommissioning. A well-written safety case will give all stakeholders (operating authority, members of staff and regulators) justifiable confidence that the system is safe to operate and to continue in operation. Although production of a safety case is now regarded as best practice in many quarters, there is still relatively little experience of writing safety cases and only a limited amount of literature on the topic. Many safety engineers find it a daunting task and some safety cases are still poorly structured, difficult to understand and less than compelling.

Many systems, particularly in the military domain, must be certified or accredited by both safety and security authorities. Current practice argues safety and security accreditations separately. A research project called SafSec has been investigating a combined approach to safety and security argumentation, and has shown that there can be practical benefits in performing a combined analysis and documenting a combined argument for both safety and security.

This paper discusses wider engineering lessons that may be drawn from the investigation of a train derailment that occurred on the Northern Line of London Underground on 19 October 2003 at Camden Town. It summarises the accident investigation process followed and the main findings and discusses: the management of “legacy” systems; maintaining the links between design intent and maintenance practice; the concept of insidious criticality; and the use of standards to control interactions.

New technology and new organisational concepts are being introduced at a pace that does not allow enough time to demonstrate control of possible residual risk by means of technical design and human performance. One area where this is becoming increasingly noticeable is the transport sector. Through identification of causal factors resulting from accident investigations, it may seem for digital systems that some transport sectors are facing challenges when ensuring documentation of safe operations. Operators and approval authorities are also facing a challenge in understanding the safe limitations and risk aspects involved when introducing new technology to transport systems. The purpose of this paper is to demonstrate through lessons learned from accident investigations in the transport sector:

It is becoming increasingly important to speed up the efforts to modernise techniques for accident prevention as these have been lagging behind the use of new technology in several sectors. Furthermore, this paper wishes to bring focus on the fact that the pace of introduction of digital automation systems to certain parts of modern transport systems during the last 15–20 years seems to have outstripped one’s ability to assure and document safe operations. The fact that the safety of such systems cannot be assured in accordance with established and traditional methods and safety principles, combined with the fact that replacements are immature and unproven, calls for a more cautious and conservative approach with regard to how this technology should be applied to safety- critical systems/operations.

Behind the simplicity of the ALARP Principle — which requires that all reasonably practicable risk reduction measures should be taken — lies a great deal of complexity. One of the difficult areas is Time At Risk, when risks are above the mean value for a period of time. In this paper, three methods are developed as an aid to the process of agreeing what constitutes a significant period of increased risk that may possibly be worthy of separate ALARP consideration.

Risk Matrices have long been adopted in parts of the systems safety community as a simple means of categorisation of risk, yet they are often developed and used incorrectly leading to confusion and poor safety management.

The next generation of control systems are likely to be characterised by much higher integration, where common / shared computer resources perform multiple system functions. It is possible to reconfigure such systems to provide continued functionality when an element of the system fails. To achieve this aim a number of pre-requisites must be in-place: the ability to determine when a failure has occurred, the appropriate configuration to move to and the ability to safely transfer from one configuration to another. This paper concentrates on the first of these in the form of health monitoring systems for IMS. The approach takes into account the potentially safety critical nature of the applications and the nature of these computer systems.