Introduction
As discussed throughout the course, safety cases are best practice in industry when demonstrating why a system is safe. In this section, we will look at how to write and present a safety case and will also look at how to recognise a good safety case. Finally, we will look at an incident where a safety case has failed – namely the crash of RAF Nimrod XV230.
By the end of this section you will be able to evaluate:
- contents of a safety case
- writing a safety case
- purpose and benefits of goal structuring notation
- good and bad safety cases
Safety Case Contents
In the section on definition of safety cases we mentioned some of the contents that may be expected in a generic safety case. As a recap these were:
- Scope of what is being addressed, and the context and environment in which it is being addressed – the same pump may have different safety cases if it is used on land and at sea for example
- The safety management system used
- Any applicable legislation or requirements with the evidence that they have been complied with
- Evidence that risks have been identified and controlled and that any residual risk is both acceptable and ALARP
- Independent assurance that the argument and evidence are sufficient
The detail and content will then vary, partly based on the actual subject of the safety case but also based on normal practices based on the industry in question. For example, NOPSEMA (the Australian equivalent of the Offshore section of the HSE) makes some statements around their expectations, many of which could be applied in any industry (NOPSEMA 2020):
- Safety cases must be written by the operator. The logic being that those who create the risk should also manage it; this is because the operator will have the greatest in – depth knowledge of the subject, and, in addition, ownership of the safety case increases the likelihood of compliance with the safety case.
- It must identify the safety critical aspects, both technical and managerial. It is rare that an incident is caused by exclusively technical failures, hence the need to include safety critical management factors.
- Appropriate performance standards must be defined for the safety critical aspects. This a standard established by the operator and used as the basis for managing the risk of a major event.
- Workforce involvement. As discussed elsewhere in the course, if the workforce does not feel a sense of ownership, their compliance with the safety case is liable to be inconsistent at best. Furthermore, they will be able to bring their own specialist knowledge to bear helping to identify any risks and any possible mitigations.
Another thing that must always be remembered is that the safety case will be scrutinised by a regulator who is both competent and independent. This means that any attempts to brush over areas of concern are likely to be noticed, leading to the safety case not being accepted and potentially damaging the reputation of the company with the regulator.
Professor Koopman of Carnegie Mellon university discusses safety cases in the following video:
In this video, Shell discusses the importance of safety cases in their operations and discusses how they are used with their workforce. An important point to pick up from the video is the idea of the safety case as a living document that grows and develops over time:
In this final video, which was produced for SapuraKencana, the contents of a safety case are discussed in more detail:
Writing a Safety Case
Whilst the actual method of writing a safety case is not proscribed, there are best practices that can be applied in almost any situation. The Nimrod review suggested 6 principles, that had the handy acronym SHAPED. The UK Nuclear Safety Case Forum developed this slightly into PSHAPED – the first P being preparation.
We will discuss these shortly, but first the following video from Risktec succinctly describes the process:
“The Haddon-Cave Review into the Nimrod crash suggested that the safety case regime had lost its way, and was no longer really a method for ensuring safety but had, in fact, become merely a paper based exercise.”
Following this review the UK Nuclear industry looked at safety cases and suggested that safety cases should be based on the principles of PSHAPED above.
This means that good safety cases fundamentally require good Preparation (the first P), and then should be based on 6 principles:
- Succinct
- Home grown
- Accessible
- Proportionate
- Easy to Understand
- Document – light
We will look at Preparation, Home Grown and Proportionate separately, and then look at the remaining principles as one area due to the amount of overlap. In common with the UK nuclear industry we shall call this area “Usability”. As this section is largely taken from the work of the UK safety case forum, we will briefly summarise each section, but the forum’s guide “Right First Time Safety Cases” is reproduced in full further through the report.
Preparation
We have all heard the saying “fail to prepare and prepare to fail”. Whilst this statement is somewhat trite, it is nevertheless true, and the same applies in the writing of safety cases. Without preparation safety cases often fail due to changes in scope, misunderstanding of interactions, or failing to involve the right people. Before beginning the safety case it is essential to address the following:
- Resources
- Scope and purpose
- Process
- Learning from Experience (LFE)
- Understand what success looks like
- Strategy for delivery
If these items are correctly addressed before the safety case is begun, the chances of success are increased greatly.
Home - Grown
As we have frequently discussed during this course, buy-in is essential to ensure success, not just of a safety case but of almost all processes. For this reason, it is essential to establish clear ownership of the safety case. Usually the owner is the person who has ultimate responsibility for the safety of the product, plant, etcetera.
Safety case owners can be good or bad, a good safety case owner will:
- Ensure commitment from the team.
- Establish resourcing in terms of funding and personnel is adequate, including ensuring availability of a project manager to keep to timescale.
- Ensure that all specified roles are appropriately filled, and responsibilities are clear.
Whilst the safety case owner should be a formal role, identifying the person with ultimate responsibility, for the safety case to be successful it is equally important that the safety case is considered as belonging to all involved throughout the lifecycle including operators; the safety case must not be considered as just belonging to the authors.
Proportionate
The depth of the Safety Case must be proportionate to the hazards/risks/complexity of the thing being assessed, not forgetting that risks, in particular, are not always well understood at the start of a Safety Case project, particularly for a new product or process.
For this reason, when preparing the Safety Case, the following steps should be applied:
- For lower hazard operations, use simpler methods of fault identification.
- Use methodologies that are appropriate for the potential consequences.
- Use methodologies that are proportionate in themselves.
- Use semi-quantitative and qualitative techniques as appropriate.
- Avoid over-pessimism that artificially inflates the significance of a hazard.
- Avoid optimism.
- Key assumptions should be underpinned.
- Apply ALARP proportionately
Artist Rob Higgs' corkscrew - the very antithesis of proportionate.
Used with permission © Rob Higgs
A video of it in operation can be found at this link:
more of Rob's work can be seen on his YouTube channel:
Usability
It is unsurprising that probably the most important thing with any safety case is that it is usable.
Referring back to the principles above, this means that it should be accessible, easy to understand, succinct and document-light.
To be effective it is vital that users can access the safety case and easily understand the risks and hazards that they are dealing with, and what safeguards have been put in place to ensure that everything remains safe.
People are easily put off reading a safety case simply because it looks too long. It should be noted that document-light does not mean attempting to write a short safety case – which is usually impossible in any case – but rather that it needs to be properly structured, clear and focussed.
The technical detail should not be included in the high-level safety case, but rather in the supporting information.
This vintage flight deck is over complex, the opposite of usability
Usable safety cases should:
- Be focussed on managing risk
- Clearly define their scope
- Focus on what is needed to be known
- Be easy to navigate
- Present information in a clear and concise manner
- Be easy to understand
- Be easy to access
- Flow well
- Minimise repetition
- Use the must up to date supporting information
- Be clear as to what needs to be implemented
Goal Structuring Notation
As already discussed, the most important aspect of any safety case is that it is usable. It is also a well-accepted fact that the majority of people learn and work more easily with visual rather than written data – a picture tells a thousand words and so on.
Taking this into consideration, the University of York developed Goal Structuring Notation (GSN) in the 1990s as a graphical argument that is used to show that safety goals have been achieved by documenting and presenting evidence in a manner that is clearer than plain text. The use of GSN has since expanded into a huge variety of fields – not just engineering.
In the following video Tim Kelly of the University of York – one of the original developers of GSN – discusses its development, advantages and some of the places in which it used.
GSN Example (mathematics)
GSN is a powerful tool and is perhaps most easily demonstrated using an example. Here, we use GSN to illustrate a proof of the statement “The sum of the natural numbers 1…n is equal to n(n+1)/2” using “mathematical induction”.
Image from Modelling-Languages blog post by Kenji Hiranabe, Astah CEO
Used under Fair Dealing - Educational Use
In this example the “goal” is the statement we are seeking to prove
The next node is called “strategy”. There are many ways to prove this particular statement, but we have chosen “induction”
Once we have chosen strategy, we can then divide the goal into “sub goals”.
Here, we divide the proof in two:
- Base: prove this is true when n=1
- Induction: assuming it holds when n=k, prove that it holds when n=k+1
The terminals are called “solutions” or “evidences” as appropriate.
A real-world example is given below
Image from GSN COMMUNITY STANDARD VERSION 1
Used under Fair Dealing - Educational Use
A fuller discussion of GSN and the community standard can be found here:
CHIME
One of the issues with safety cases, as with anything else, is the need to assure oneself that it is in fact correct and holds true. Any organisation or regulator must consider whether the safety case stacks up.
Safehand, a digital health consultancy, have developed the CHIME framework to help decide if a safety case is plausible, and what to look for, namely credibility, hazard log, issues, method and evidence (Stavert-Dobson, 2017).
Credibility – first and foremost, is it believable? Has the safety case been written to prove that the product, already previously designed, just happens to be safe, or is it a valid argument? Have the appropriate people been involved in the development, or has it just been signed off at the end? If the safety case reads like it is trying to sell something, suspicions should be raised, it should be objective and factual.
Hazard log – is there a suitably detailed hazard log? A hazard log that contains nonsensical hazards (risk of a key popping off a keyboard and injuring someone’s eye is a genuine example) is suspicious, have real hazards been ignored or disguised with chaff? Similarly, however if a complex or hazardous product has a very short hazard log then further investigation should be undertaken. Further, are they genuine hazards, or an attempt to move the risk onto the next stage in the process rather than seek to remove the risk all together.
Issues – If an assessment has been carried out properly it is virtually guaranteed to find issues where the risk has not been mitigated fully. This should not be thought of as a failing, but rather as a sign of solid and honest evaluation. If a safety case claims no concerns and everything is right first time, there is probably something wrong with the safety case. That being said, it should be checked – it may still be honest.
Method – how was the assessment carried out? Does the safety case define the techniques used? Are there clear acceptability criteria, and if so, have the findings been measured against that criteria? Is the scope of the safety case correct?
Evidence – probably the most important test of all. Are all the findings backed up with evidence and is that evidence credible? If a control has been suggested, will it work and can it be shown to work? It is possible for a hazard log to show 5 or 6 controls of a hazard, none of which will actually achieve anything, thereby invalidating the hazard log. Commercial sensitivity is sometimes cited as a reason for withholding evidence, and whilst this may be valid, it should induce scepticism.
Ultimately however the ability to recognise a good safety case comes from experience. For this reason, a person using a safety case should always be encouraged to seek assistance when they need it, and it is usually wise to have more than one person review and assess safety cases before they are accepted.
References
NOPSEMA, 2020. What is a Safety Case? [online]. Available from https://www.nopsema.gov.au/safety/safety-case/what-is-a-safety-case/ [20th February 2020)
Stavert-Dobson, 2017. Does your supplier’s Safety Case chime clear as a bell? [online]. Available from https://safehand.co.uk/2017/10/18/suppliers-safety-case/ [16th April 2020]