@techreport{DO-178B,
author = {RTCA Special Committee 167},
title = {Software Considerations in Airborne Systems and Equipment Certification},
institution = {RTCA, Inc},
year = {1992},
type = {Recommendation},
number = {DO-178B},
address = {Washington DC, USA},
month = {December}
}
@techreport{DO-201A,
author = {RTCA Special Committee 181},
title = {Standards for Aeronautical Information},
institution = {RTCA, Inc},
year = {2000},
type = {Recommendation},
number = {DO-201A},
address = {Washington DC, USA},
month = {April},
note = {Cited by Faulkner and Storey (2003)}
}
@techreport{DO-200A,
author = {RTCA Special Committee 181},
title = {Standards for processing aeronautical data.},
institution = {RTCA, Inc},
year = {1998},
type = {Recommendation},
number = {DO-200A},
address = {Washington DC, USA},
month = {September},
note = {Cited in Faulkner Storey (2003)}
}
@misc{Beizer2001,
author = {Beizer, Boris and Vinter, Otto},
howpublished = {Website},
title = {Bug Taxonomy and Statistics},
year = {2001},
url = {https://web.archive.org/web/20061021170451/https://inet.uni2.dk/~vinter/bugtaxst.doc}
}
@misc{AAIB,
author = {Air Accident Investigation Branch},
howpublished = {Website},
title = {AAIB Website},
year = {2001-2008},
url = {https://www.gov.uk/aaib-reports}
}
@misc{MAIB,
author = {Marine Accident Investigation Branch},
howpublished = {Website},
title = {MAIB Website},
year = {1998-2008},
url = {https://www.gov.uk/maib-reports}
}
@misc{RAIB,
author = {Rail Accident Investigation Branch},
howpublished = {Website},
title = {RAIB Website},
year = {2006-2008},
url = {https://www.gov.uk/aaib-reports}
}
@article{Butler1993,
author = {Butler, R.W. and Finelli, G.B.},
journal = {IEEE Transactions on Software Engineering},
title = {The infeasibility of quantifying the reliability of life-critical real-time software},
year = {1993},
month = {Jan},
number = {1},
pages = {3--12},
volume = {19},
doi = {10.1109/32.210303}
}
@techreport{Cant2007,
author = {Cant, Tony},
title = {Safety Engineering for Defence Systems},
institution = {Australian Commonwealth Department of Defence, Defence Science and
Technology Organisation},
year = {2007},
type = {Australian Defence Standard},
number = {Def (Aust) 5679},
address = {Edinburgh SA, Australia},
month = {March},
note = {Issue 2, draft version 1.1 (issued for comment)}
}
@techreport{Chippendale1980,
author = {Chippendale, R},
title = {Air New Zealand McDonnell-Douglas DC10-30 ZK-NZP, Ross Island, Antarctica
28 November 1979},
institution = {Office of Air Accidents Investigation, New Zealand Ministry of Transport},
year = {1980},
type = {Aircraft Accident Report},
number = {79-139},
address = {Wellington, New Zealand},
month = {May},
url = {http://web.archive.org/web/20031005190000/http://www.taic.org.nz/aboutus/non_taic_major_reports.html}
}
@techreport{61508-2,
author = {International Electrotechnical Commission},
title = {Functional Safety of electrical/electronic/programmable electronic
safety-related systems - Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems},
institution = {British Standards Institution},
year = {2002},
type = {British Standard},
number = {BS EN 61508-2:2002},
month = {March}
}
@techreport{61508-3,
author = {International Electrotechnical Commission},
title = {Functional safety of electrical/electronic/programmable electronic
safety-related systems - Part 3: Software requirements},
institution = {British Standards Institution},
year = {2002},
type = {British Standard},
number = {BS EN 61508-3:2002},
month = {March}
}
@techreport{61508-4,
author = {International Electrotechnical Commission},
title = {Functional safety of electrical/electronic/programmable electronic
safety-related systems - Part 4: Definitions and abbreviations},
institution = {British Standards Institution},
year = {2002},
type = {British Standard},
number = {BS EN 61508-4:2002},
month = {March}
}
@techreport{61508-7,
author = {International Electrotechnical Commission},
title = {Functional Safety of electrical/electronic/programmable electronic
safety-related systems - Part 7 - Overview of techniques and measures},
institution = {British Standards Institution},
year = {2002},
type = {British Standard},
number = {BS EN 61508-7},
month = {March}
}
@unpublished{0010draft,
author = {ITAA G48 Committee},
title = {{GEIA-STD-0010}: Standard Best Practices for System Safety Program
Development and Execution},
note = {Committee Draft},
month = {June},
year = {2008}
}
@unpublished{CEEguide,
author = {Ministry of Defence},
title = {Guidance on the Assurance of Safety in Systems Containing Complex
Electronic Elements in support of Def Stan 00-56 Issue 4.},
note = {Final draft for approval},
month = {July},
year = {2008}
}
@techreport{882D,
author = {Department of Defense},
institution = {United States Department of Defense},
title = {Standard Practice for System Safety},
year = {2000},
month = {February},
number = {MIL-STD-882D},
type = {Military Standard},
url = {https://quicksearch.dla.mil/qsDocDetails.aspx?ident_number=36027}
}
@conference{Faulkner2002a,
author = {Faulkner, Alastair},
booktitle = {Proceedings of the 10th Safety-critical Systems Symposium},
title = {Safer Data: the use of data in the context of a railway control system},
year = {2002},
pages = {217--230},
abstract = {An increasing number of safety-related systems are configured to the
application instance through the use of data. These systems typically
use a static or slowly changing description of the infrastructure,
in conjunction with a command schedule, instantaneous status data
and a set of operational conditions. This paper uses the context
of a railway control system to identify safety issues in the configuration
of the control system and its reliance upon data from the external
information systems.},
url = {https://web.archive.org/web/20081010151534/https://www.cse-euro.com/html/papers.html}
}
@conference{Faulkner2000,
author = {Faulkner, Alastair and Bennett, P.A. and Pierce, Ron and Johnston, I.H.A. and Storey, Neil},
booktitle = {Proc. 19th Int. Conf. Safecomp},
title = {The Safety Management of Data Driven Safety Related Systems},
year = {2000},
address = {Rotterdam, The Netherlands},
month = {October},
pages = {86--95},
abstract = {Many safety-related systems are built from generic software which
is customised to work in a particular situation by static configuration
data. Examples of such systems are railway interlockings and air
traffic control systems. While there is now considerable experience
and guidance on how to develop safety-related software, and there
are a number of standards in this area, the topic of safety-related
configuration data is hardly mentioned in the literature. This paper
discusses the desirable properties of safety-related data and sets
out principles for the safety management of such data, including
a data lifecycle which is analogous to a software development lifecycle.
Validation and verification of the data, and the means used to achieve
such validation and verification are given particular attention.},
url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm}
}
@conference{Faulkner2001,
author = {Faulkner, Alastair and Pierce, Ron},
booktitle = {Proceedings of the 19th International Safety System Conference},
title = {Is it data or is it software?},
year = {2001},
address = {Huntsville AL, USA},
month = {September},
organization = {System Safety Society},
pages = {323--329},
abstract = {Safety related systems are frequently constructed from a generic hardware
and software platform, which is adapted to a particular use by providing
it with configuration data. This configuration data is an essential
part of the design and to ensure that the system as a whole has the
correct behaviour and safety integrity the data must be developed
and verified with as much care as the software and hardware. Railway
interlocking and control systems are good examples of systems that
are configured by application data.
This paper discusses various data description methods as applied by
different examples of railway interlocking products, and shows how
different verification techniques can be applied to the various types
of data.
Three examples of software railway interlocking systems have been
examined, and these show interesting differences in their approaches
to what is described by their manufacturers as “configuration data”.},
keywords = {data-driven safety-related systems, data, safety, railway interlocking},
url = {https://web.archive.org/web/20081010151534/https://www.cse-euro.com/html/papers.html}
}
@conference{Faulkner2002,
author = {Faulkner, Alastair and Storey, Neil},
booktitle = {Proceedings of the MOD Equipment Assurance Symposium ESAS02},
title = {Data: An often-ignored component of safety-related systems},
year = {2002},
address = {Bristol, UK},
month = {October},
organization = {Ministry of Defence},
abstract = {Safety-related systems are being constructed from hardware, software
and data. The data often describes the real world environment in
which the system will operate and plays a vital role in ensuring
its correct operation. Logic as well as good engineering practice
dictates that data is produced to the same integrity requirements
as the other system elements. Unfortunately, experience and anecdotal
evidence suggest that this is all too commonly not the case.
Data-driven systems use data from a number of sources including data
extracted (and possibly processed) from existing external information
systems and data produced specifically for the required system. This
data is used to describe the system environment using configuration
data (which is largely static or slowly moving) and status data (which
is dynamic and will sometimes change rapidly). In addition, a minority
of systems may use data to describe a changing use of the system
with time. This additional data may be thought of as a schedule or
timetable identifying control requirements as sequences or combinations
of control actions.
Typically, information is supplied to these systems through a ‘data
supply chain’ that may involve transformations and adaptations by
external information systems and human processes. The management
of the data supply chain can introduce significant errors to the
development and operation of safety-related systems. The work described
in this paper sets out to provide much needed guidance on appropriate
methods of dealing with data, which is a largely ignored system component.},
keywords = {Data, data-driven, safety-related systems},
url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm}
}
@conference{Faulkner2001a,
author = {Faulkner, Alastair and Storey, Neil},
booktitle = {Proceedings of the 19th International Safety System Conference},
title = {The Role of Data in Safety-Related Railway Control Systems},
year = {2001},
address = {Huntsville AL, USA},
month = {September},
organization = {System Safety Society},
pages = {793--800},
abstract = {In the production of a computer-based safetyrelated system, it is
common to partition the hardware and software elements into a system
architecture. The software part of such an arrangement will generally
include both the instructions that are executed by the processor(s),
and the data that is used and produced by these instructions. In
some cases, a large amount of static or configuration data forms
an essential element within the system and plays a vital role in
ensuring its correct operation. While data is subject to errors,
experience shows that it is often not subjected to safety analysis
techniques such as hazard and risk analysis. Data is often treated
in a totally unstructured manner (often making error detection difficult)
and very rarely is fault tolerance used to protect the system from
data errors.
To illustrate the role and importance of data in safety-related systems,
this paper looks at the data associated with a railway command and
control system. Such a system has a range of safety-related functions,
and must also operate in the context of other safety, protection
and business planning systems. The paper considers typical data errors
associated with the railway environment and proposes the early definition
of a system data architecture, which will allow the application of
safety analysis techniques such as HAZOP.},
keywords = {data-driven safety-related systems, data, safety, railway control systems},
url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm}
}
@conference{Frazer2003,
author = {Frazer, Ken and Dowling, Duncan and Ainsworth, Mike},
booktitle = {Proceedings of the 21st International Safety System Conference},
title = {Developing Data Management Processes for Safety Critical Systems},
year = {2003},
address = {Ottawa, Canada},
month = {August},
organization = {System Safety Society},
abstract = {Many safety critical systems use data to configure their functionality
for a particular application. The approach to data preparation has
traditionally been seen as an adjunct to the software development
environment, and many industries have developed perceivably robust
methods and techniques to ensure that the data meets necessary quality
criteria.
However, the increasing use of standardized components and subsystems
has led to ever more dependence on configuration data to define a
system’s functionality. The development of safety-related systems
by integrating and adapting existing systems, rather than bespoke
development, means that not only must the hardware and software engineering
approach change, but also the strategies adopted for the management
of safety related data.
This paper describes work being undertaken as part of the development
of the European Rail Traffic Management System (ERTMS), a computer-based
control and protection system for trains which is being introduced
across Europe, to ensure that the data required by ERTMS is managed
appropriately. This is of particular concern because ERTMS poses
new challenges to managing the data, partly as a result of the integrity,
accuracy and volume required, but also due to the growing dependence
by systems for their correct and safe operation on data. This paper
discusses the problems encountered and the development of a data
management framework to help alleviate these problems.},
keywords = {data management},
url = {http://dard.co.uk/papers/data_management.pdf}
}
@misc{Gibbon1996,
author = {Gibbon, Dafydd and Ladkin, Peter},
howpublished = {Website},
month = {February.},
note = {Retrieved 10 September 2008},
title = {Comments on Confusing Conversation at Cali},
year = {1996},
url = {https://rvs-bi.de/publications/Incidents/DOCS/Research/Rvs/Misc/Additional/Reports/cali-comment.html}
}
@techreport{Glazebrook2007,
author = {Glazebrook, Ian},
title = {Additional Guidance and Considerations on the Application of RTCA
DO-178B},
institution = {ASSC},
year = {2007},
number = {2007-0419},
month = {August}
}
@incollection{SW01,
author = {CAA Safety Regulation Group},
booktitle = {CAP670 - Air Traffic Services Safety Requirements},
publisher = {Civil Aviation Authority},
title = {SW01 - Regulatory Objectives for Software Safety Assurance in ATS Equipment},
year = {2003},
month = {June},
url = {https://web.archive.org/web/20081108155404/http://www.caa.co.uk/docs/33/CAP670.PDF}
}
@techreport{Harrison2000,
author = {Harrison, A. and Pierce, R.H.},
title = {Data Management Safety Requirements Derivation},
institution = {Railtrack plc},
year = {2000},
month = {June},
note = {West Coast Route Modernisation Internal report. Cited by Faulkner
(2001)}
}
@conference{Hollow2000,
author = {Hollow, Paul and Mcdermid, John and Nicholson, Mark},
booktitle = {10th International Symposium of the International Council on Systems Engineering},
title = {Approaches to Certification of Reconfigurable IMA Systems},
year = {2000},
address = {Minneapolis, USA},
month = {July},
abstract = {The aerospace industry has been investigating integrated modular avionics
(IMA) for some years. IMA offers greater flexibility in the use of
computing resources by reconfiguring the software to employ different
processors and communications, in order to recover from failure and
to redistribute workload. Such reconfiguration offers benefits, but
poses difficulties for certification since current certification
practice requires assessment of each configuration.
The approach we have adopted is to seek means of clearing a configuration
of a system and to identify a number of “equivalent” configurations.
This requires us to establish “safe” reconfigurations for the IMA
system. Technically, we have formulated the search for a set of “equivalent”
configurations as a multiobjective optimisation problem. Pragmatically,
the search produces configuration tables which could be used by the
IMA operating system to make a “safe” change to an “equivalent” configuration,
when necessary.},
url = {https://web.archive.org/web/20070417160803/https://www-users.cs.york.ac.uk/~mark/papers/incose2000.pdf}
}
@conference{Holloway2006,
author = {Holloway, C.M. and Johnson, C.W.},
booktitle = {Proceedings of the 1st International Conference on System Safety},
title = {Why System Safety Professionals Should Read Accident Reports},
year = {2006},
address = {London, UK},
month = {June},
publisher = {Institution of Engineering and Technology},
abstract = {System safety professionals, both researchers and practitioners, who
regularly read accident reports reap important benefits. These benefits
include an improved ability to separate myths from reality, including
both myths about specific accidents and ones concerning accidents
in general; an increased understanding of the consequences of unlikely
events, which can help inform future designs; a greater recognition
of the limits of mathematical models; and guidance on potentially
relevant research directions that may contribute to safety improvements
in future systems.},
keywords = {accidents, accident prevention, system safety},
url = {https://web.archive.org/web/20061002162227/http://shemesh.larc.nasa.gov/ssse/iet2006-reading.pdf}
}
@misc{Ladkin1997,
author = {Ladkin, Peter},
howpublished = {Website},
month = {November},
title = {News and Comment on the Aeroperu B757 Accident, AeroPeru Flight 603, 2 October 1996},
year = {1997},
url = {https://rvs-bi.de/publications/Incidents/DOCS/ComAndRep/AeroPeru/aeroperu-news.html}
}
@article{Littlewood1993,
author = {Littlewood, Bev and Strigini, Lorenzo},
journal = {Communications of the ACM},
title = {Validation of Ultra-High Dependability for Software-based Systems},
year = {1993},
month = {Nov},
pages = {69--80},
volume = {36},
abstract = {Modern society depends on computers for a number of critical tasks
in which failure can have very high costs. As a consequence, high
levels of dependability (reliability, safety, etc.) are required
from such computers, including their software. Whenever a quantitative
approach to risk is adopted, these requirements must be stated in
quantitative terms, and a rigorous demonstration of their being attained
is necessary. For software used in the most critical roles, such
demonstrations are not usually supplied. The fact is that the dependability
requirements often lie near the limit of the current state of the
art, or beyond, in terms not only of the ability to satisfy them,
but also, and more often, of the ability to demonstrate that they
are satisfied in the individual operational products (validation).
We discuss reasons why such demonstrations cannot usually be provided
with the means available: reliability growth models, testing with
stable reliability, structural dependability modelling, as well as
more informal arguments based on good engineering practice. We state
some rigorous arguments about the limits of what can be validated
with each of such means. Combining evidence from these different
sources would seem to raise the levels that can be validated; yet
this improvement is not such as to solve the problem. It appears
that engineering practice must take into account the fact that no
solution exists, at present, for the validation of ultra-high dependability
in systems relying on complex software.},
doi = {10.1145/163359.163373},
url = {http://www.csr.city.ac.uk/people/lorenzo.strigini/ls.papers/CACMnov93_limits/CACMnov93.pdf}
}
@misc{MCA,
author = {Maritime and Coastguard Agency},
howpublished = {Website},
title = {{MCA} Website},
url = {https://www.gov.uk/topic/ships-cargoes/m-notices}
}
@techreport{Murray2003,
author = {Murray, T.},
title = {Blueprint Workshop Report},
institution = {QinetiQ},
year = {2003},
number = {QINETIQ/S\&E/AVC/CR031274},
month = {May},
comment = {Raises questions about whether blueprint data should be produced by
validated tools, or be validated after production, or both. Also
need for safety requirements to be produced, to allow determination
of rules for generation (and hence validation) of blueprints.}
}
@phdthesis{Pumfrey1999,
author = {Pumfrey, David},
school = {Department of Computer Science, University of York},
title = {The Principled Design of Computer System Safety Analyses},
year = {1999},
address = {York, UK},
month = {September},
abstract = {Safety critical computing is a relatively young and rapidly developing
technology, which nevertheless is being deployed in applications
where a single accident may have extremely severe consequences. The
safety record of critical systems presently in service is reasonably
good, but increasing expectations of functionality and performance
are challenging the capabilities of current design and assessment
processes. One specific area where limitations of existing methods
are becoming obvious is in the analysis techniques that are used
to derive safety requirements and to provide evidence that they have
been satisfied. There are significant practical problems in using
existing analysis techniques to evaluate computer systems, but few
viable new computerspecific methods have been developed.
This thesis proposes and evaluates a set of principles for the design
of effective techniques to address novel computer system safety analysis
requirements. The principles are based on an appreciation of the
technical concepts underlying successful existing system level analysis
techniques, and of the practical qualities necessary to make a method
industrially acceptable. The principles are applied in the development
of two new safety analysis techniques for systems containing computers.
The first new technique developed is Software Hazard Analysis and
Resolution in Design (SHARD), a variant of the process industries’
HAZOP technique. SHARD provides a structured approach to the identification
of potentially hazardous behaviour in software systems. The second
technique, Low-level Interaction Safety Analysis (LISA), implements
a novel analysis approach based on a concept of system resources.
It provides a method for establishing detailed evidence about the
safety implications of interactions between software and the hardware
upon which it is executed. The thesis describes the evaluation of
the techniques through a series of large scale case studies and industrial
trials.},
url = {https://web.archive.org/web/20090306152017/http://www-users.cs.york.ac.uk/~djp/publications/Thesis16.pdf}
}
@article{Redmill2008,
author = {Redmill, Felix},
journal = {Safety Systems},
title = {History and Legacy of IEC 61508},
year = {2008},
month = {January},
number = {2},
pages = {37--41},
volume = {17},
url = {https://scsc.uk/scsc-103}
}
@techreport{Republic1996,
author = {Aeronautica Civil of the Republic of Colombia},
institution = {Published on the web by Peter Ladkin},
title = {Controlled Flight Into Terrain American Airlines Flight 965 Boeing 757-223, N651AA, Near Cali, Colombia, December 20, 1995},
year = {1996},
address = {Santa Fé de Bogota, Colombia},
month = {September},
note = {Retrieved from http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/ComAndRep/Cali/calirep.html on 9 July 2008.},
type = {Aircraft Accident Report},
url = {https://rvs-bi.de/publications/Incidents/DOCS/ComAndRep/Cali/calirep.html}
}
@techreport{Salmon2006,
author = {Salmon, Carolyn and Lee, Clive},
institution = {ASSC},
title = {The Certification of Systems containing Software developed using RTCA DO-178B},
year = {2006},
month = {June},
number = {ASSC/12/0013},
url = {https://web.archive.org/web/20091007073736/https://www.assconline.co.uk/documents/ASSC_DO178B_Report1.pdf}
}
@conference{Short2006,
author = {Short, Roger C.},
title = {Safety Assurance of Configuration Data for Railway Signal Interlockings},
booktitle = {Proceedings of the 1st International Conference on System Safety},
year = {2006},
address = {London, UK},
month = {June},
publisher = {Institution of Engineering and Technology},
abstract = {The safety of railway signalling systems depends on the correctness
of the programming of a logical controller known as an interlocking.
Assurance of correctness is usually achieved by a combination of
testing, both on simulation systems and on the target hardware, and
manual or tool assisted checking of the data, with use being made
in some cases of techniques of static analysis and formal methods.
The paper proposes a common model for assessing disparate techniques
used as part of various proprietary systems.}
}
@conference{Simpson2006,
author = {Simpson, A.J. and Stoker, J.},
title = {Safety Challenges in Flying UAVs (Unmanned Air Vehicles) in Non Segregated
Airspace},
booktitle = {Proceedings of the 1st International Conference on System Safety},
year = {2006},
address = {London, UK},
month = {June},
publisher = {Institution of Engineering and Technology},
abstract = {Unmanned Aerial Vehicles (UAVs) are set to become part of every day
air traffic operations perhaps within the next few years; however
there are significant challenges that must be addressed in order
to seamlessly introduce UAVs into non segregated airspace. This paper
discusses some of the identified safety challenges in achieving this
objective, taking a rigorous look at how one might argue the safety
of UAV operations in non-segregated airspace from an Air Traffic
Management (ATM) perspective. This paper draws upon the experience
of the authors’ in the UAV domain and specifically the lessons learnt
from the safety assessment work the authors undertook on behalf of
EUROCONTROL DG/MIL on draft specifications for flying Military UAVs
as Operational Air Traffic (OAT) outside segregated airspace.}
}
@techreport{00-56/1,
author = {Directorate of Standardization},
title = {Safety Management Requirements for Defence Systems - Part 1: Requirements},
institution = {Ministry of Defence},
year = {2007},
type = {Defence Standard},
number = {00-56},
address = {Glasgow, UK},
month = {June},
note = {Issue 4},
organization = {Directorate of Standardization}
}
@techreport{00-56/2,
author = {Directorate of Standardization},
title = {Safety Management Requirements for Defence Systems - Part 2: Guidance
on a means of Complying with Part 1},
institution = {Ministry of Defence},
year = {2007},
type = {Defence Standard},
number = {00-56},
address = {Glasgow, UK},
month = {June},
note = {Issue 4}
}
@techreport{00-55/1,
author = {Directorate of Standardization},
institution = {Ministry of Defence},
title = {Requirements for Safety Related Software in Defence Equipment Part 1: Requirements},
year = {1997},
address = {Glasgow, UK},
month = {August},
note = {Issue 2},
number = {00-55},
type = {Defence Standard},
url = {https://web.archive.org/web/20090119215043/https://www.dstan.mod.uk/data/00/055/01000200.pdf}
}
@techreport{00-55/2,
author = {Directorate of Standardization},
institution = {Ministry of Defence},
title = {Requirements for Safety Related Software in Defence Equipment Part 2: Guidance},
year = {1997},
address = {Glasgow, UK},
month = {August},
note = {Issue 2},
number = {00-55},
type = {Defence Standard},
url = {https://web.archive.org/web/20090119214729/http://www.dstan.mod.uk/data/00/055/02000200.pdf}
}
@techreport{2382-1,
author = {International Organization for Standardization and International
Electrotechnical Commission},
title = {Information Technology - Vocabulary - Part 1: Fundamental terms},
institution = {British Standards Institution},
year = {1993},
type = {British Standard},
number = {BS ISO/IEC 2382-1:1993},
month = {November}
}
@article{Storey2008,
author = {Storey, Neil},
journal = {Safety Systems},
title = {Data-driven Systems - the State of the Ark?},
year = {2008},
month = {January},
number = {2},
pages = {28--31},
volume = {17},
url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm}
}
@conference{Storey2003,
author = {Storey, Neil and Faulkner, Alastair},
booktitle = {Proceedings of the 22nd International Conference SafeComp 2003},
title = {Characteristics of Data in Data-Intensive Safety-Related Systems},
year = {2003},
address = {Edinburgh, UK},
month = {September},
pages = {396--409},
abstract = {An increasing number of systems now use standardised hardware and
software that is customised for a particular application using data.
These data-driven systems offer flexibility and speed of implementation,
but are dependent on the correctness of their data to ensure safe
operation.
Despite the obvious importance of the data within such systems, there
is much evidence to suggest that this does not receive the same attention
as other system elements. In many cases the data is developed quite
separately from the remainder of the system, and may not benefit
from the same level of hazard analysis, verification and validation.
This paper considers the use of data in data-driven safety-related
systems and suggests that in such systems it is appropriate to consider
data as a distinct and separate component with its own development
lifecycle. The paper then considers the architectural design of data-driven
systems and the problems of validating such systems.},
doi = {10.1007/978-3-540-39878-3_31},
url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm}
}
@conference{Storey2002,
author = {Storey, Neil and Faulkner, Alastair},
booktitle = {Proceedings of the 20th International Safety System Conference},
title = {Data Management in Data-Driven Safety-Related Systems},
year = {2002},
address = {Denver CO, USA},
month = {August},
organization = {System Safety Society},
pages = {466--475},
abstract = {The increasing use of COTS components is leading to the production
of a large number of systems which use standardized hardware and
software that are customised for a particular situation by the use
ofd configuration data. Where such systems are used in safety-related
applications, the safety of the resulting system will often be dependent
on the correctness of this data. It is therefore essential that configuration
data is developed and tested to the same level of rigour as other
system elements.
Despite the obvious importance of data correctness in safety-related
systems, anecdotal evidence suggests that data does not receive the
same attention as other system elements. This view is reinforced
by the observation that the standards in this area say almost nothing
about the design, production, verification or maintenance of data.
This paper describes a study to investigate the techniques being used
to produce and manage data in a range of safety-related industries.
This shows that data is indeed being largely ignored in many highly
critical situations. The paper then goes on to suggest a way of tackling
this problem, through the development of generic, and perhaps industry-specific,
guidelines.},
keywords = {data, safety-related systems, software, safety},
url = {https://web.archive.org/web/20100420235349/http://www.eng.warwick.ac.uk/staff/ns/publications.htm}
}
@misc{Taleb2005,
author = {Taleb, Nassim Nicholas},
howpublished = {Cited on Wikiquote},
title = {Fooled by Randomness – The Hidden Role of Chance in Life and in the Markets},
year = {2001},
publisher = {Texere Publishing},
url = {https://en.wikiquote.org/wiki/Nassim_Nicholas_Taleb}
}
@misc{Tanenbaum1981,
author = {Tanenbaum, Andrew S.},
howpublished = {Cited on Wikiquote},
title = {Computer Networks},
year = {1981},
journal = {Computer Networks},
url = {https://en.wikiquote.org/wiki/Andrew_S._Tanenbaum}
}
@mastersthesis{Templeton2007,
author = {Templeton, Mark},
school = {University of York Department of Computer Science},
title = {Safety Integrity of Data},
year = {2007},
address = {York, UK},
month = {September},
abstract = {This paper sets out to consider the approach which will be needed in order to demonstrate a safety argument for data. Whilst approaches for hardware and software are already well understood, no generally accepted approach for data could be found.
Analysis of related documents and attempts to identify the aims which lay behind the development of a software standard led to the identification of a simple four stage process which could allow data to be processed in a timely manner, in order to demonstrate that safety properties have been achieved.
No generally accepted approach to the second and third steps of the four-stage process could be identified. A notation has therefore been developed, to form the foundation of these steps. The notation brings together features of an existing tool for the definition of data structures, with features found in the specification language Z.
A paper-based analysis of the proposed system has been carried out, which identifies those data errors which can be eliminated by this approach, and those which cannot. Proposals are presented for the further development of the system, in order to support the automated application of further safety requirements.}
}
@conference{Tillotson2001,
author = {Tillotson, John},
title = {System Safety and Management Information Systems},
booktitle = {Aspects of Safety Management: Proceedings of the Ninth Safety-Critical
Systems Symposium, Bristol, UK, 6-8 February 2001},
year = {2001},
editor = {Felix Redmill and T. Anderson},
pages = {13--34},
address = {Secaucus NJ, USA},
organization = {Safety Critical Systems Club},
publisher = {Springer-Verlag New York, Inc.},
abstract = {This paper is about how, based on my experience, I think that a prudent
company should manage its safety-related information systems withi
an area of safety such as the 'rail' domain.
The systems I have experience of are management information (database)
systems and are only 'safety-related' and not 'safety-critical' -
they are not control systems and there is always a human in the decision-making
process. The companies I have worked for are only in the foothills
of system safety.}
}
@article{Welbourne1995,
author = {Welbourne, D. and Bester, N.P.},
title = {Data for Software Systems important to safety},
journal = {GEC Journal of Research},
year = {1995},
volume = {12},
pages = {50--57},
number = {1},
note = {Cited in Faulkner \& Storey (2001)},
abstract = {Extensive effort has been applied to the requirements for software
documents and code for systems important to safety in nuclear power
stations. However the standards and requirements for such systems
do not discuss the extensive application data generally used in a
typical nuclear plant. This paper reports research work done for
the UK Health and Safety Executive. Calibration, configuration and
functionality classes of data are identified. Based on experience
gained from the systems studied, recommendations are presented for
the application of a written plan and a task analysis for the preparation
of data. The human factors aspects of the process of data identification,
the potential for errors and the identification of sources of error
are also considered. The methods of data preparation, verification
and validation used on the systems studied are reviewed. Recommendations
and assessment criteria identified are summarized in conclusion.},
comment = {HSE Levy Report? CI/GNSR/11 C/8662/ESD/ AEA-93/REP/01},
keywords = {data; on-line; safety-critical; configuration; calibration; verification;
validation; V & V.}
}
@misc{JSON,
howpublished = {Website},
title = {JSON website},
url = {https://www.json.org/}
}
@comment{{jabref-meta: databaseType:bibtex;}}
This file was generated by bibtex2html 1.98.