|
|
|
Vol. 47, No. 6 • November-December 2011 |
|
In the Spotlight
|
| The Use of Safety Cases in Certification and Regulation
|
 |
|
|
by Nancy Leveson, Aeronautics and Astronautics/Engineering Systems, MIT
|
|
Pages
1 |
2 |
3 |
4 |
5
|
Introduction
Certification of safety-critical systems is usually based on an evaluation of whether a system or product reduces risk of specific losses to an acceptable level. There are major differences, however, in how that decision is made and in what evidence is required. The term "safety case" has become popular recently as a solution to the problem of regulating safety-critical systems. The term arises from the Health and Safety Executive (HSE) in the U.K., but different definitions seem to be rife. To avoid confusion, this paper uses the term "assurance cases" for the general term and limits the use of the term "safety case" to a specific definition as an argument for why the system is safe. This paper examines the use of safety cases and some dangers associated with their use. The first important distinction is between types of regulation.
Types of Regulation
 |
|
While in the past most assurance was prescriptive (either product or process), there has been interest in performance-based regulation and assurance by government agencies, starting in the U.S. during the Reagan administration, often spearheaded by pressure from those being certified.
|
 |
|
Safety assurance and certification methods differ greatly among industries and countries. Safety assurance methods commonly used can be broken into two general types, which determine the argument used in the assurance or certification process:
- Prescriptive: Standards or guidelines for product features or development processes, which are used to determine whether a system should be certified, are provided.
- Product: Specific design features are required, which may be specific designs, as in electrical codes, or more general features, such as fail-safe design or the use of protection systems. Assurance is usually provided by inspection of the design features provided to determine if they are effective and implemented properly. In some industries, practitioners are licensed based on their knowledge of the standards or codes of practice. Assurance then becomes the responsibility of licensed practitioners, who can lose their license if they fail to follow the standards. Organizations may also be established that produce standards and provide certification, such as the UL rating.
- Process: Here, the standards specify the process to be used in producing the product or system, or in operating it (e.g., maintenance or change procedures), rather than the specific design features of the product or system itself. Assurance is based on whether the process was followed and, sometimes, on the quality of the process or its artifacts. The process requirements may specify:
- General product or system development processes and their artifacts, such as requirements specifications, test plans, reviews, analyses to be performed and documentation produced
- The process to be used in the safety engineering of the system and not the general development process used for the product
- Performance-based or goal-setting approaches focus on desired, measurable outcomes rather than required product features or prescriptive processes, techniques or procedures. The certification authority specifies a threshold of acceptable performance and a means for assuring that the threshold has been met. Basically, the standards set a goal, which may be a risk target, and it is usually up to the assurer to decide how to accomplish that goal. Performance-based regulation specifies defined results without specific direction regarding how those results are to be obtained. An example is a requirement that an aircraft navigation system must be able to estimate its position to within a circle with a radius of 10 nautical miles with some specified probability.
While in the past most assurance was prescriptive (either product or process), there has been interest in performance-based regulation and assurance by government agencies, starting in the U.S. during the Reagan administration, often spearheaded by pressure from those being certified. A similar, but much more successful, movement was started in Great Britain around the same time, some of it stemming from the Cullen report on the Piper Alpha accident [Ref. 2].
Certification in the U.S. primarily uses prescriptive methods, but mixes the two types (product and process). Commercial aircraft, for example, are certified based on airworthiness standards requiring specific features (e.g., oxygen systems and life preservers), and more general features such as fail-safe design. Certification also requires the use of various types of safety analysis techniques, such as Fault Hazard Analysis, and general engineering development standards. NASA also uses both product and process standards.
While the Nuclear Regulatory Commission requires prescriptive assurance for nuclear power plants, the American Nuclear Society in 2004 called for the use of risk-informed and performance-based regulations for the nuclear industry, arguing that,
"Risk-informed regulations use results and insights from probabilistic risk assessments to focus safety resources on the most risk-significant issues, thereby achieving an increase in safety while simultaneously reducing unnecessary regulatory burden produced by deterministic regulations." [Ref. 1]
Similar arguments have been made about FAA regulations and procedural handbooks being inflexible and inefficient, and about rule-making taking too long. Recommendations have been made to redesign the rulemaking process by moving to performance-based regulations where appropriate, but this type of certification is controversial, particularly with respect to how the performance goals are set and assured.
next page »
|
|
|
|
|
