Safety case defining

Safety case analysed as a reasoning modelflnqulry system. Topology of such model analysed and defined. An outline structure of the safety case defined and contrasted against the structure defined by standards. 

Breakeven charts can be plotted in any of the three forms shown in Figs. 9-2, 9-3, and 9-4. The abscissa shown as annual sales volume R is also frequently plotted as a percentage of the designed production or sales capacity Rq. In the case of ships, aircraft, etc., it is then called the percentage utilization. The percentage margin of safety is defined as... 

It should be clear by now that risk assessors do not know how to draw a sharp line between safe and unsafe exposures to any chemical. The very notion of safety is scientifically wrongheaded, if by it is meant the absolute absence of risk. If safety is defined in this way, it becomes in most cases impossible to know when it has been achieved, because to do so requires the proof that something - in this case, risk - does not exist. 

Finally note that an SMS is not the same as a safety case. The SMS sets out the processes and methodologies that an organisation will harness in pursuit of building a safety case. In other words the safety case is one of the outputs of applying the SMS to a particular HIT solution or component. Whilst the SMS will define acceptability criteria it will say nothing about whether the risk profile for a specific system is tolerable. 

At an early stage in the project planning it is necessary to carefully define the scope of the system or module under examination. Limiting and articulating the scope is necessary to define the boundaries that have been applied to the analysis. More importantly, this formalises those system entities which have not been subject to analysis. The safety case will therefore say nothing about the clinical risk associated with those components outside of that defined boundary. By instituting boundaries early on in a project one is able to more accurately size the target and define the resources and timescales necessary to complete the task. 

Over time there is always the opportunity for scope CTeep. The intended purpose may change or grow as the product is developed and healthcare organisations find increasingly innovative ways of harnessing a system s functionality. It is therefore important to monitor the currently defined intended purpose against its live operation and the product roadmap. Where the intended purpose changes, it is likely that the safety case will need to be revisited and the clinical risk reassessed. 

A compelling case is developed through the rigorous application of process against a target which is appropriately granular and well-defined. Doing so establishes completeness with minimal room for hazards to fall between the cracks and remain hidden. A comprehensible safety case summarises the analysis in a concise... 

Sections 13.2 and 13.4 discussed the SWIFT method for hazard derivation and the need for brainstorming. These techniques are often carried out in a workshop environment involving key stakeholders and domain experts. The act of employing this methodical evaluation of the system is important evidence which raises confidence in the safety case and provides non-specific but nevertheless important risk mitigation and diligence. This is particularly the case where structured documentation is made available to support the workshop and a clear set of inputs and outputs are defined. 

Alternatively we may decide to create more specific claims, perhaps that the system performs at a level that is conducive to practical operation in a clinical environment and/or with a defined degree of availability. Whatever measure is selected it should be clear and concise and, most importantly, be capable of being demonstrated within the scope of the planned CRM assessment process. In other words it should be possible to draw lines of logical inference between each claim and the arguments set out in the body of the safety case. 

In Sect. 11.1 we discussed the importance of defining the system by ascertaining its intended purpose and boundaries. It is worth reiterating this in the safety case itself as by the time this is being constructed it is likely that one will have a better handle on the precise nature of the requironents, functionality and design. Similarly it can be helpful to restate the rationale for the assessment and its regulatory position. As a minimum the text should set out ... 

Note that in defining the system one should be careful not to use overly commercial language. The safety case is not the place to extol the virtues of efficiency gains, improved productivity, return on investment, etc. These are all important facets of product management, the business case and marketing but in the safety case these factors could be perceived as being an ill-informed means of justifying the clinical risk. Any text which is reused from other materials should have subjective elements removed so that a plain and factual system description is articulated. 

Realistically, it has to be concluded that the term ALARP really does not provide much help to risk management professionals and facility managers in defining what levels of risk are acceptable. It may be for this reason that the U.K. HSE chose in the year 2006 to minimize its emphasis to do with ALARP requirements from the Safety Case Regime for offshore facilities. Other major companies have also elected to move away from ALARP toward a continuous risk reduction model (Broadribb, 2008). 

The safety case procedures must define the objections of the program and must identify which procedures and standards are in place. 

From Fig. 11.11 it is possible to verify the improvement in terms of carbon emission from the base case design to the retrofit design proposed (black bars lower than gray bars). Flowever, this retrofit design involved the recovery of water, so metrics related to water impact should be also assessed. The IChemE metrics have been selected to assess the water impact of the new retrofit design [63]. For the social assessment the health and safety issues were considered, through the appHcation of the Inherent Safety Index defined by Fleikldla [60]. The results obtained for the environmental and social assessments are summarized in Table 11.4. 

Some international organizations (typically non-US) are begiiming to use the so-called Safety Case as another tool to evaluate risk and reduce incidents. The evaluation uses a risk assessment to define the specific hazards and how they shall be... 

Because of significant design differences from current commercial reactors, a comprehensive plan will need to be developed to define a safety case and licensing process equivalent to current commercial reactors. In addition, significant work will be required to define the requirement for the MSR fuel cycle, including proliferation resistance and physical protection issues. 

Well-managed data is fundamental to the dependability and operational integrity of a system. Many systems are not only reliant on data, but also the integrity of data. Therefore data should be addressed as part of the system safety case in common with other elements of the system. The system safety argument(s) should address the use of data and the influence of data errors on the system behaviour. However responsibility for data and its associated data integrity is often poorly defined. This lack of clarity allows vendors to abdicate responsibility for data, and its integrity to the client. 

Uncertainty can be defined as lacking complete confidence or assurance . During safety case assessment confidence can be affected by epistemic uncertainty, which relates to a lack of knowledge (Thunnissen 2005). Safety case assessment is primarily concerned with determining that the level of knowledge about the acceptable safety of the system is sufficient. Epistemic uncertainty within safety case assessment can be classified in two ways Information Uncertainty and Inadequate Understanding (Lipshitz Strauss 1997). ... 

Assumptions can be considered legitimate and acceptable where there is a genuine lack of information or lack of understanding that cannot easily be resolved at the time the safety case is presented. For example, an assumption made regarding system maintenance procedures may be considered acceptable if the procedures have not been fully defined at the time of safety case production, and responsibility for their production lies outside of the safety case developer s duty. 

The above example safety case variations show the importance of developing the product-line safety case in such a way that permitted safety case variations are explicitly defined and traced to other variations in the environment and architectural configuration of a derived product. 

In this paper, we address the challenges presented in the previous section by defining an approach to developing product-line safety cases using the patterns and modular extensions of GSN. The patterns and modular extensions of GSN are introduced in the next two sections, followed by a detailed description and analysis of how they can be used to create and manage product-line safety cases. 

Fig. 5. Defining Safety Case Variations using Entity Abstraction Extensions...

EAST-ADL supports determination and modeling of FSRs by safety cases. The derivation of FSRs is not supported [16]. In EAST-ADL-2.0, the relation between an item and its containing elements or systems is depicted by a composition between the class item definition, which is interpreted as a collection of entities defining the item that the safety case is valid for (i.e. a "system"), and the abstract class ADLEntity [18]. More precise statements about specializations of ADLEntity are not provided. 

Of particular importance is the prospect of focusing the aetivities associated with certification on the two arguments in an assured safety case. Certification as defined by Defence Standard 00-56 (MoD 2007), for example, requires that a safety case provide ... 

---