Safety Cases

From Dependability

What does it mean for a system to be safe? Safety cases answer this question by defining safety in terms of achievable system goals and then arguing that a system has been developed in such a way that it meets those goals (Examples of Safety Cases). Through the use of tools like the Goal Structuring Notation (GSN) developed at the University of York, safety cases may be structured graphically to assist developers in preparing safety cases and to convince regulators that a developer has satisfactorily discharged his safety obligations. By explicitly connecting the safety goals the developer must satisfy to evidence that they have been met, safety cases present more compelling arguments that a system is safe than do the ad hoc and process-based approaches in widespread use today.

In addition to their merits in assuring system safety, safety cases are also a promising vehicle for guiding system failure analysis. The failure of a system in a manner that compromises safety implies that the system's safety argument is flawed. By backtracking through the safety case, investigators might be able to identify which aspects of the safety argument are flawed and recommend corrections that system developers would then use to improve existing and future safety cases. We call this interaction between system developers and investigators the enhanced safety case lifecycle.

Example Safety Cases

We have collected several example of safety cases. These cases represent interests in air traffic control, passenger rail transit, and radioactive waste disposal and storage.

Selected Papers

• Greenwell, William S., Elisabeth A. Strunk, and John C. Knight

Failure Analysis and the Safety-Case Lifecycle

IFIP Working Conference on Human Error, Safety and System Development (HESSD) Toulouse, France (August 2004) (PDF)