@techreport{DO-178B, author = {RTCA Special Committee 167}, title = {Software Considerations in Airborne Systems and Equipment Certification}, institution = {RTCA, Inc}, year = {1992}, type = {Recommendation}, number = {DO-178B}, address = {Washington DC, USA}, month = {December} }
@techreport{DO-201A, author = {RTCA Special Committee 181}, title = {Standards for Aeronautical Information}, institution = {RTCA, Inc}, year = {2000}, type = {Recommendation}, number = {DO-201A}, address = {Washington DC, USA}, month = {April}, note = {Cited by Faulkner and Storey (2003)} }
@techreport{DO-200A, author = {RTCA Special Committee 181}, title = {Standards for processing aeronautical data.}, institution = {RTCA, Inc}, year = {1998}, type = {Recommendation}, number = {DO-200A}, address = {Washington DC, USA}, month = {September}, note = {Cited in Faulkner Storey (2003)} }
@misc{Beizer2001, author = {Beizer, Boris and Vinter, Otto}, howpublished = {Website}, title = {Bug Taxonomy and Statistics}, year = {2001}, url = {https://web.archive.org/web/20061021170451/https://inet.uni2.dk/~vinter/bugtaxst.doc} }
@misc{AAIB, author = {Air Accident Investigation Branch}, howpublished = {Website}, title = {AAIB Website}, year = {2001-2008}, url = {https://www.gov.uk/aaib-reports} }
@misc{MAIB, author = {Marine Accident Investigation Branch}, howpublished = {Website}, title = {MAIB Website}, year = {1998-2008}, url = {https://www.gov.uk/maib-reports} }
@misc{RAIB, author = {Rail Accident Investigation Branch}, howpublished = {Website}, title = {RAIB Website}, year = {2006-2008}, url = {https://www.gov.uk/aaib-reports} }
@article{Butler1993, author = {Butler, R.W. and Finelli, G.B.}, journal = {IEEE Transactions on Software Engineering}, title = {The infeasibility of quantifying the reliability of life-critical real-time software}, year = {1993}, month = {Jan}, number = {1}, pages = {3--12}, volume = {19}, doi = {10.1109/32.210303} }
@techreport{Cant2007, author = {Cant, Tony}, title = {Safety Engineering for Defence Systems}, institution = {Australian Commonwealth Department of Defence, Defence Science and Technology Organisation}, year = {2007}, type = {Australian Defence Standard}, number = {Def (Aust) 5679}, address = {Edinburgh SA, Australia}, month = {March}, note = {Issue 2, draft version 1.1 (issued for comment)} }
@techreport{Chippendale1980, author = {Chippendale, R}, title = {Air New Zealand McDonnell-Douglas DC10-30 ZK-NZP, Ross Island, Antarctica 28 November 1979}, institution = {Office of Air Accidents Investigation, New Zealand Ministry of Transport}, year = {1980}, type = {Aircraft Accident Report}, number = {79-139}, address = {Wellington, New Zealand}, month = {May}, url = {http://web.archive.org/web/20031005190000/http://www.taic.org.nz/aboutus/non_taic_major_reports.html} }
@techreport{61508-2, author = {International Electrotechnical Commission}, title = {Functional Safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems}, institution = {British Standards Institution}, year = {2002}, type = {British Standard}, number = {BS EN 61508-2:2002}, month = {March} }
@techreport{61508-3, author = {International Electrotechnical Commission}, title = {Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements}, institution = {British Standards Institution}, year = {2002}, type = {British Standard}, number = {BS EN 61508-3:2002}, month = {March} }
@techreport{61508-4, author = {International Electrotechnical Commission}, title = {Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations}, institution = {British Standards Institution}, year = {2002}, type = {British Standard}, number = {BS EN 61508-4:2002}, month = {March} }
@techreport{61508-7, author = {International Electrotechnical Commission}, title = {Functional Safety of electrical/electronic/programmable electronic safety-related systems - Part 7 - Overview of techniques and measures}, institution = {British Standards Institution}, year = {2002}, type = {British Standard}, number = {BS EN 61508-7}, month = {March} }
@unpublished{0010draft, author = {ITAA G48 Committee}, title = {{GEIA-STD-0010}: Standard Best Practices for System Safety Program Development and Execution}, note = {Committee Draft}, month = {June}, year = {2008} }
@unpublished{CEEguide, author = {Ministry of Defence}, title = {Guidance on the Assurance of Safety in Systems Containing Complex Electronic Elements in support of Def Stan 00-56 Issue 4.}, note = {Final draft for approval}, month = {July}, year = {2008} }
@techreport{882D, author = {Department of Defense}, institution = {United States Department of Defense}, title = {Standard Practice for System Safety}, year = {2000}, month = {February}, number = {MIL-STD-882D}, type = {Military Standard}, url = {https://quicksearch.dla.mil/qsDocDetails.aspx?ident_number=36027} }
@conference{Faulkner2002a, author = {Faulkner, Alastair}, booktitle = {Proceedings of the 10th Safety-critical Systems Symposium}, title = {Safer Data: the use of data in the context of a railway control system}, year = {2002}, pages = {217--230}, abstract = {An increasing number of safety-related systems are configured to the application instance through the use of data. These systems typically use a static or slowly changing description of the infrastructure, in conjunction with a command schedule, instantaneous status data and a set of operational conditions. This paper uses the context of a railway control system to identify safety issues in the configuration of the control system and its reliance upon data from the external information systems.}, url = {https://web.archive.org/web/20081010151534/https://www.cse-euro.com/html/papers.html} }
@conference{Faulkner2000, author = {Faulkner, Alastair and Bennett, P.A. and Pierce, Ron and Johnston, I.H.A. and Storey, Neil}, booktitle = {Proc. 19th Int. Conf. Safecomp}, title = {The Safety Management of Data Driven Safety Related Systems}, year = {2000}, address = {Rotterdam, The Netherlands}, month = {October}, pages = {86--95}, abstract = {Many safety-related systems are built from generic software which is customised to work in a particular situation by static configuration data. Examples of such systems are railway interlockings and air traffic control systems. While there is now considerable experience and guidance on how to develop safety-related software, and there are a number of standards in this area, the topic of safety-related configuration data is hardly mentioned in the literature. This paper discusses the desirable properties of safety-related data and sets out principles for the safety management of such data, including a data lifecycle which is analogous to a software development lifecycle. Validation and verification of the data, and the means used to achieve such validation and verification are given particular attention.}, url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm} }
@conference{Faulkner2001, author = {Faulkner, Alastair and Pierce, Ron}, booktitle = {Proceedings of the 19th International Safety System Conference}, title = {Is it data or is it software?}, year = {2001}, address = {Huntsville AL, USA}, month = {September}, organization = {System Safety Society}, pages = {323--329}, abstract = {Safety related systems are frequently constructed from a generic hardware and software platform, which is adapted to a particular use by providing it with configuration data. This configuration data is an essential part of the design and to ensure that the system as a whole has the correct behaviour and safety integrity the data must be developed and verified with as much care as the software and hardware. Railway interlocking and control systems are good examples of systems that are configured by application data. This paper discusses various data description methods as applied by different examples of railway interlocking products, and shows how different verification techniques can be applied to the various types of data. Three examples of software railway interlocking systems have been examined, and these show interesting differences in their approaches to what is described by their manufacturers as “configuration data”.}, keywords = {data-driven safety-related systems, data, safety, railway interlocking}, url = {https://web.archive.org/web/20081010151534/https://www.cse-euro.com/html/papers.html} }
@conference{Faulkner2002, author = {Faulkner, Alastair and Storey, Neil}, booktitle = {Proceedings of the MOD Equipment Assurance Symposium ESAS02}, title = {Data: An often-ignored component of safety-related systems}, year = {2002}, address = {Bristol, UK}, month = {October}, organization = {Ministry of Defence}, abstract = {Safety-related systems are being constructed from hardware, software and data. The data often describes the real world environment in which the system will operate and plays a vital role in ensuring its correct operation. Logic as well as good engineering practice dictates that data is produced to the same integrity requirements as the other system elements. Unfortunately, experience and anecdotal evidence suggest that this is all too commonly not the case. Data-driven systems use data from a number of sources including data extracted (and possibly processed) from existing external information systems and data produced specifically for the required system. This data is used to describe the system environment using configuration data (which is largely static or slowly moving) and status data (which is dynamic and will sometimes change rapidly). In addition, a minority of systems may use data to describe a changing use of the system with time. This additional data may be thought of as a schedule or timetable identifying control requirements as sequences or combinations of control actions. Typically, information is supplied to these systems through a ‘data supply chain’ that may involve transformations and adaptations by external information systems and human processes. The management of the data supply chain can introduce significant errors to the development and operation of safety-related systems. The work described in this paper sets out to provide much needed guidance on appropriate methods of dealing with data, which is a largely ignored system component.}, keywords = {Data, data-driven, safety-related systems}, url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm} }
@conference{Faulkner2001a, author = {Faulkner, Alastair and Storey, Neil}, booktitle = {Proceedings of the 19th International Safety System Conference}, title = {The Role of Data in Safety-Related Railway Control Systems}, year = {2001}, address = {Huntsville AL, USA}, month = {September}, organization = {System Safety Society}, pages = {793--800}, abstract = {In the production of a computer-based safetyrelated system, it is common to partition the hardware and software elements into a system architecture. The software part of such an arrangement will generally include both the instructions that are executed by the processor(s), and the data that is used and produced by these instructions. In some cases, a large amount of static or configuration data forms an essential element within the system and plays a vital role in ensuring its correct operation. While data is subject to errors, experience shows that it is often not subjected to safety analysis techniques such as hazard and risk analysis. Data is often treated in a totally unstructured manner (often making error detection difficult) and very rarely is fault tolerance used to protect the system from data errors. To illustrate the role and importance of data in safety-related systems, this paper looks at the data associated with a railway command and control system. Such a system has a range of safety-related functions, and must also operate in the context of other safety, protection and business planning systems. The paper considers typical data errors associated with the railway environment and proposes the early definition of a system data architecture, which will allow the application of safety analysis techniques such as HAZOP.}, keywords = {data-driven safety-related systems, data, safety, railway control systems}, url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm} }
@conference{Frazer2003, author = {Frazer, Ken and Dowling, Duncan and Ainsworth, Mike}, booktitle = {Proceedings of the 21st International Safety System Conference}, title = {Developing Data Management Processes for Safety Critical Systems}, year = {2003}, address = {Ottawa, Canada}, month = {August}, organization = {System Safety Society}, abstract = {Many safety critical systems use data to configure their functionality for a particular application. The approach to data preparation has traditionally been seen as an adjunct to the software development environment, and many industries have developed perceivably robust methods and techniques to ensure that the data meets necessary quality criteria. However, the increasing use of standardized components and subsystems has led to ever more dependence on configuration data to define a system’s functionality. The development of safety-related systems by integrating and adapting existing systems, rather than bespoke development, means that not only must the hardware and software engineering approach change, but also the strategies adopted for the management of safety related data. This paper describes work being undertaken as part of the development of the European Rail Traffic Management System (ERTMS), a computer-based control and protection system for trains which is being introduced across Europe, to ensure that the data required by ERTMS is managed appropriately. This is of particular concern because ERTMS poses new challenges to managing the data, partly as a result of the integrity, accuracy and volume required, but also due to the growing dependence by systems for their correct and safe operation on data. This paper discusses the problems encountered and the development of a data management framework to help alleviate these problems.}, keywords = {data management}, url = {http://dard.co.uk/papers/data_management.pdf} }
@misc{Gibbon1996, author = {Gibbon, Dafydd and Ladkin, Peter}, howpublished = {Website}, month = {February.}, note = {Retrieved 10 September 2008}, title = {Comments on Confusing Conversation at Cali}, year = {1996}, url = {https://rvs-bi.de/publications/Incidents/DOCS/Research/Rvs/Misc/Additional/Reports/cali-comment.html} }
@techreport{Glazebrook2007, author = {Glazebrook, Ian}, title = {Additional Guidance and Considerations on the Application of RTCA DO-178B}, institution = {ASSC}, year = {2007}, number = {2007-0419}, month = {August} }
@incollection{SW01, author = {CAA Safety Regulation Group}, booktitle = {CAP670 - Air Traffic Services Safety Requirements}, publisher = {Civil Aviation Authority}, title = {SW01 - Regulatory Objectives for Software Safety Assurance in ATS Equipment}, year = {2003}, month = {June}, url = {https://web.archive.org/web/20081108155404/http://www.caa.co.uk/docs/33/CAP670.PDF} }
@techreport{Harrison2000, author = {Harrison, A. and Pierce, R.H.}, title = {Data Management Safety Requirements Derivation}, institution = {Railtrack plc}, year = {2000}, month = {June}, note = {West Coast Route Modernisation Internal report. Cited by Faulkner (2001)} }
@conference{Hollow2000, author = {Hollow, Paul and Mcdermid, John and Nicholson, Mark}, booktitle = {10th International Symposium of the International Council on Systems Engineering}, title = {Approaches to Certification of Reconfigurable IMA Systems}, year = {2000}, address = {Minneapolis, USA}, month = {July}, abstract = {The aerospace industry has been investigating integrated modular avionics (IMA) for some years. IMA offers greater flexibility in the use of computing resources by reconfiguring the software to employ different processors and communications, in order to recover from failure and to redistribute workload. Such reconfiguration offers benefits, but poses difficulties for certification since current certification practice requires assessment of each configuration. The approach we have adopted is to seek means of clearing a configuration of a system and to identify a number of “equivalent” configurations. This requires us to establish “safe” reconfigurations for the IMA system. Technically, we have formulated the search for a set of “equivalent” configurations as a multiobjective optimisation problem. Pragmatically, the search produces configuration tables which could be used by the IMA operating system to make a “safe” change to an “equivalent” configuration, when necessary.}, url = {https://web.archive.org/web/20070417160803/https://www-users.cs.york.ac.uk/~mark/papers/incose2000.pdf} }
@conference{Holloway2006, author = {Holloway, C.M. and Johnson, C.W.}, booktitle = {Proceedings of the 1st International Conference on System Safety}, title = {Why System Safety Professionals Should Read Accident Reports}, year = {2006}, address = {London, UK}, month = {June}, publisher = {Institution of Engineering and Technology}, abstract = {System safety professionals, both researchers and practitioners, who regularly read accident reports reap important benefits. These benefits include an improved ability to separate myths from reality, including both myths about specific accidents and ones concerning accidents in general; an increased understanding of the consequences of unlikely events, which can help inform future designs; a greater recognition of the limits of mathematical models; and guidance on potentially relevant research directions that may contribute to safety improvements in future systems.}, keywords = {accidents, accident prevention, system safety}, url = {https://web.archive.org/web/20061002162227/http://shemesh.larc.nasa.gov/ssse/iet2006-reading.pdf} }
@misc{Ladkin1997, author = {Ladkin, Peter}, howpublished = {Website}, month = {November}, title = {News and Comment on the Aeroperu B757 Accident, AeroPeru Flight 603, 2 October 1996}, year = {1997}, url = {https://rvs-bi.de/publications/Incidents/DOCS/ComAndRep/AeroPeru/aeroperu-news.html} }
@article{Littlewood1993, author = {Littlewood, Bev and Strigini, Lorenzo}, journal = {Communications of the ACM}, title = {Validation of Ultra-High Dependability for Software-based Systems}, year = {1993}, month = {Nov}, pages = {69--80}, volume = {36}, abstract = {Modern society depends on computers for a number of critical tasks in which failure can have very high costs. As a consequence, high levels of dependability (reliability, safety, etc.) are required from such computers, including their software. Whenever a quantitative approach to risk is adopted, these requirements must be stated in quantitative terms, and a rigorous demonstration of their being attained is necessary. For software used in the most critical roles, such demonstrations are not usually supplied. The fact is that the dependability requirements often lie near the limit of the current state of the art, or beyond, in terms not only of the ability to satisfy them, but also, and more often, of the ability to demonstrate that they are satisfied in the individual operational products (validation). We discuss reasons why such demonstrations cannot usually be provided with the means available: reliability growth models, testing with stable reliability, structural dependability modelling, as well as more informal arguments based on good engineering practice. We state some rigorous arguments about the limits of what can be validated with each of such means. Combining evidence from these different sources would seem to raise the levels that can be validated; yet this improvement is not such as to solve the problem. It appears that engineering practice must take into account the fact that no solution exists, at present, for the validation of ultra-high dependability in systems relying on complex software.}, doi = {10.1145/163359.163373}, url = {http://www.csr.city.ac.uk/people/lorenzo.strigini/ls.papers/CACMnov93_limits/CACMnov93.pdf} }
@misc{MCA, author = {Maritime and Coastguard Agency}, howpublished = {Website}, title = {{MCA} Website}, url = {https://www.gov.uk/topic/ships-cargoes/m-notices} }
@techreport{Murray2003, author = {Murray, T.}, title = {Blueprint Workshop Report}, institution = {QinetiQ}, year = {2003}, number = {QINETIQ/S\&E/AVC/CR031274}, month = {May}, comment = {Raises questions about whether blueprint data should be produced by validated tools, or be validated after production, or both. Also need for safety requirements to be produced, to allow determination of rules for generation (and hence validation) of blueprints.} }
@phdthesis{Pumfrey1999, author = {Pumfrey, David}, school = {Department of Computer Science, University of York}, title = {The Principled Design of Computer System Safety Analyses}, year = {1999}, address = {York, UK}, month = {September}, abstract = {Safety critical computing is a relatively young and rapidly developing technology, which nevertheless is being deployed in applications where a single accident may have extremely severe consequences. The safety record of critical systems presently in service is reasonably good, but increasing expectations of functionality and performance are challenging the capabilities of current design and assessment processes. One specific area where limitations of existing methods are becoming obvious is in the analysis techniques that are used to derive safety requirements and to provide evidence that they have been satisfied. There are significant practical problems in using existing analysis techniques to evaluate computer systems, but few viable new computerspecific methods have been developed. This thesis proposes and evaluates a set of principles for the design of effective techniques to address novel computer system safety analysis requirements. The principles are based on an appreciation of the technical concepts underlying successful existing system level analysis techniques, and of the practical qualities necessary to make a method industrially acceptable. The principles are applied in the development of two new safety analysis techniques for systems containing computers. The first new technique developed is Software Hazard Analysis and Resolution in Design (SHARD), a variant of the process industries’ HAZOP technique. SHARD provides a structured approach to the identification of potentially hazardous behaviour in software systems. The second technique, Low-level Interaction Safety Analysis (LISA), implements a novel analysis approach based on a concept of system resources. It provides a method for establishing detailed evidence about the safety implications of interactions between software and the hardware upon which it is executed. The thesis describes the evaluation of the techniques through a series of large scale case studies and industrial trials.}, url = {https://web.archive.org/web/20090306152017/http://www-users.cs.york.ac.uk/~djp/publications/Thesis16.pdf} }
@article{Redmill2008, author = {Redmill, Felix}, journal = {Safety Systems}, title = {History and Legacy of IEC 61508}, year = {2008}, month = {January}, number = {2}, pages = {37--41}, volume = {17}, url = {https://scsc.uk/scsc-103} }
@techreport{Republic1996, author = {Aeronautica Civil of the Republic of Colombia}, institution = {Published on the web by Peter Ladkin}, title = {Controlled Flight Into Terrain American Airlines Flight 965 Boeing 757-223, N651AA, Near Cali, Colombia, December 20, 1995}, year = {1996}, address = {Santa Fé de Bogota, Colombia}, month = {September}, note = {Retrieved from http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/ComAndRep/Cali/calirep.html on 9 July 2008.}, type = {Aircraft Accident Report}, url = {https://rvs-bi.de/publications/Incidents/DOCS/ComAndRep/Cali/calirep.html} }
@techreport{Salmon2006, author = {Salmon, Carolyn and Lee, Clive}, institution = {ASSC}, title = {The Certification of Systems containing Software developed using RTCA DO-178B}, year = {2006}, month = {June}, number = {ASSC/12/0013}, url = {https://web.archive.org/web/20091007073736/https://www.assconline.co.uk/documents/ASSC_DO178B_Report1.pdf} }
@conference{Short2006, author = {Short, Roger C.}, title = {Safety Assurance of Configuration Data for Railway Signal Interlockings}, booktitle = {Proceedings of the 1st International Conference on System Safety}, year = {2006}, address = {London, UK}, month = {June}, publisher = {Institution of Engineering and Technology}, abstract = {The safety of railway signalling systems depends on the correctness of the programming of a logical controller known as an interlocking. Assurance of correctness is usually achieved by a combination of testing, both on simulation systems and on the target hardware, and manual or tool assisted checking of the data, with use being made in some cases of techniques of static analysis and formal methods. The paper proposes a common model for assessing disparate techniques used as part of various proprietary systems.} }
@conference{Simpson2006, author = {Simpson, A.J. and Stoker, J.}, title = {Safety Challenges in Flying UAVs (Unmanned Air Vehicles) in Non Segregated Airspace}, booktitle = {Proceedings of the 1st International Conference on System Safety}, year = {2006}, address = {London, UK}, month = {June}, publisher = {Institution of Engineering and Technology}, abstract = {Unmanned Aerial Vehicles (UAVs) are set to become part of every day air traffic operations perhaps within the next few years; however there are significant challenges that must be addressed in order to seamlessly introduce UAVs into non segregated airspace. This paper discusses some of the identified safety challenges in achieving this objective, taking a rigorous look at how one might argue the safety of UAV operations in non-segregated airspace from an Air Traffic Management (ATM) perspective. This paper draws upon the experience of the authors’ in the UAV domain and specifically the lessons learnt from the safety assessment work the authors undertook on behalf of EUROCONTROL DG/MIL on draft specifications for flying Military UAVs as Operational Air Traffic (OAT) outside segregated airspace.} }
@techreport{00-56/1, author = {Directorate of Standardization}, title = {Safety Management Requirements for Defence Systems - Part 1: Requirements}, institution = {Ministry of Defence}, year = {2007}, type = {Defence Standard}, number = {00-56}, address = {Glasgow, UK}, month = {June}, note = {Issue 4}, organization = {Directorate of Standardization} }
@techreport{00-56/2, author = {Directorate of Standardization}, title = {Safety Management Requirements for Defence Systems - Part 2: Guidance on a means of Complying with Part 1}, institution = {Ministry of Defence}, year = {2007}, type = {Defence Standard}, number = {00-56}, address = {Glasgow, UK}, month = {June}, note = {Issue 4} }
@techreport{00-55/1, author = {Directorate of Standardization}, institution = {Ministry of Defence}, title = {Requirements for Safety Related Software in Defence Equipment Part 1: Requirements}, year = {1997}, address = {Glasgow, UK}, month = {August}, note = {Issue 2}, number = {00-55}, type = {Defence Standard}, url = {https://web.archive.org/web/20090119215043/https://www.dstan.mod.uk/data/00/055/01000200.pdf} }
@techreport{00-55/2, author = {Directorate of Standardization}, institution = {Ministry of Defence}, title = {Requirements for Safety Related Software in Defence Equipment Part 2: Guidance}, year = {1997}, address = {Glasgow, UK}, month = {August}, note = {Issue 2}, number = {00-55}, type = {Defence Standard}, url = {https://web.archive.org/web/20090119214729/http://www.dstan.mod.uk/data/00/055/02000200.pdf} }
@techreport{2382-1, author = {International Organization for Standardization and International Electrotechnical Commission}, title = {Information Technology - Vocabulary - Part 1: Fundamental terms}, institution = {British Standards Institution}, year = {1993}, type = {British Standard}, number = {BS ISO/IEC 2382-1:1993}, month = {November} }
@article{Storey2008, author = {Storey, Neil}, journal = {Safety Systems}, title = {Data-driven Systems - the State of the Ark?}, year = {2008}, month = {January}, number = {2}, pages = {28--31}, volume = {17}, url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm} }
@conference{Storey2003, author = {Storey, Neil and Faulkner, Alastair}, booktitle = {Proceedings of the 22nd International Conference SafeComp 2003}, title = {Characteristics of Data in Data-Intensive Safety-Related Systems}, year = {2003}, address = {Edinburgh, UK}, month = {September}, pages = {396--409}, abstract = {An increasing number of systems now use standardised hardware and software that is customised for a particular application using data. These data-driven systems offer flexibility and speed of implementation, but are dependent on the correctness of their data to ensure safe operation. Despite the obvious importance of the data within such systems, there is much evidence to suggest that this does not receive the same attention as other system elements. In many cases the data is developed quite separately from the remainder of the system, and may not benefit from the same level of hazard analysis, verification and validation. This paper considers the use of data in data-driven safety-related systems and suggests that in such systems it is appropriate to consider data as a distinct and separate component with its own development lifecycle. The paper then considers the architectural design of data-driven systems and the problems of validating such systems.}, doi = {10.1007/978-3-540-39878-3_31}, url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm} }
@conference{Storey2002, author = {Storey, Neil and Faulkner, Alastair}, booktitle = {Proceedings of the 20th International Safety System Conference}, title = {Data Management in Data-Driven Safety-Related Systems}, year = {2002}, address = {Denver CO, USA}, month = {August}, organization = {System Safety Society}, pages = {466--475}, abstract = {The increasing use of COTS components is leading to the production of a large number of systems which use standardized hardware and software that are customised for a particular situation by the use ofd configuration data. Where such systems are used in safety-related applications, the safety of the resulting system will often be dependent on the correctness of this data. It is therefore essential that configuration data is developed and tested to the same level of rigour as other system elements. Despite the obvious importance of data correctness in safety-related systems, anecdotal evidence suggests that data does not receive the same attention as other system elements. This view is reinforced by the observation that the standards in this area say almost nothing about the design, production, verification or maintenance of data. This paper describes a study to investigate the techniques being used to produce and manage data in a range of safety-related industries. This shows that data is indeed being largely ignored in many highly critical situations. The paper then goes on to suggest a way of tackling this problem, through the development of generic, and perhaps industry-specific, guidelines.}, keywords = {data, safety-related systems, software, safety}, url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm} }
@misc{Taleb2005, author = {Taleb, Nassim Nicholas}, howpublished = {Cited on Wikiquote}, title = {Fooled by Randomness – The Hidden Role of Chance in Life and in the Markets}, year = {2001}, publisher = {Texere Publishing}, url = {https://en.wikiquote.org/wiki/Nassim_Nicholas_Taleb} }
@misc{Tanenbaum1981, author = {Tanenbaum, Andrew S.}, howpublished = {Cited on Wikiquote}, title = {Computer Networks}, year = {1981}, journal = {Computer Networks}, url = {https://en.wikiquote.org/wiki/Andrew_S._Tanenbaum} }
@mastersthesis{Templeton2007, author = {Templeton, Mark}, school = {University of York Department of Computer Science}, title = {Safety Integrity of Data}, year = {2007}, address = {York, UK}, month = {September}, abstract = {This paper sets out to consider the approach which will be needed in order to demonstrate a safety argument for data. Whilst approaches for hardware and software are already well understood, no generally accepted approach for data could be found. Analysis of related documents and attempts to identify the aims which lay behind the development of a software standard led to the identification of a simple four stage process which could allow data to be processed in a timely manner, in order to demonstrate that safety properties have been achieved. No generally accepted approach to the second and third steps of the four-stage process could be identified. A notation has therefore been developed, to form the foundation of these steps. The notation brings together features of an existing tool for the definition of data structures, with features found in the specification language Z. A paper-based analysis of the proposed system has been carried out, which identifies those data errors which can be eliminated by this approach, and those which cannot. Proposals are presented for the further development of the system, in order to support the automated application of further safety requirements.} }
@conference{Tillotson2001, author = {Tillotson, John}, title = {System Safety and Management Information Systems}, booktitle = {Aspects of Safety Management: Proceedings of the Ninth Safety-Critical Systems Symposium, Bristol, UK, 6-8 February 2001}, year = {2001}, editor = {Felix Redmill and T. Anderson}, pages = {13--34}, address = {Secaucus NJ, USA}, organization = {Safety Critical Systems Club}, publisher = {Springer-Verlag New York, Inc.}, abstract = {This paper is about how, based on my experience, I think that a prudent company should manage its safety-related information systems withi an area of safety such as the 'rail' domain. The systems I have experience of are management information (database) systems and are only 'safety-related' and not 'safety-critical' - they are not control systems and there is always a human in the decision-making process. The companies I have worked for are only in the foothills of system safety.} }
@article{Welbourne1995, author = {Welbourne, D. and Bester, N.P.}, title = {Data for Software Systems important to safety}, journal = {GEC Journal of Research}, year = {1995}, volume = {12}, pages = {50--57}, number = {1}, note = {Cited in Faulkner \& Storey (2001)}, abstract = {Extensive effort has been applied to the requirements for software documents and code for systems important to safety in nuclear power stations. However the standards and requirements for such systems do not discuss the extensive application data generally used in a typical nuclear plant. This paper reports research work done for the UK Health and Safety Executive. Calibration, configuration and functionality classes of data are identified. Based on experience gained from the systems studied, recommendations are presented for the application of a written plan and a task analysis for the preparation of data. The human factors aspects of the process of data identification, the potential for errors and the identification of sources of error are also considered. The methods of data preparation, verification and validation used on the systems studied are reviewed. Recommendations and assessment criteria identified are summarized in conclusion.}, comment = {HSE Levy Report? CI/GNSR/11 C/8662/ESD/ AEA-93/REP/01}, keywords = {data; on-line; safety-critical; configuration; calibration; verification; validation; V & V.} }
@misc{JSON, howpublished = {Website}, title = {JSON website}, url = {https://www.json.org/} }
@comment{{jabref-meta: databaseType:bibtex;}}
This file was generated by bibtex2html 1.98.