Misuse of safey cases

Author: Ello Weits
Co-author: Stefano Stanghellini
Day: Aspect Day One

Safety Session

In the everyday practice of railway signalling projects safety management seems to be the same as delivery of safety cases. There is a very strong focus on producing safety cases which, after positive ISA statements have been obtained, are submitted to a regulator (usually the NSA).

After ISA assessment and approval by the regulator any change to the baseline makes the safety case invalid, unless assessment and approval processes are restarted. Safety cases usually are Word documents, full of references to other documents regarding design, HW and SW versions, as-installed baseline etcetera. Updating safety cases and renewal of assessment and approval therefore is a time-consuming task. In summary there is a severe penalty on changes to a baseline (implementing improvements and upgrades), once the safety case has been finalised and assessed. They tend to immobilise the status quo.

A second and more important and unfortunate side effect of the focus on safety cases is that the safety case and its approval tend to drive in various ways the safety management processes, instead of the other way around. The deadlines for completing the safety case are transferred to the safety management processes. These processes and their supporting quality management processes are likely to be delayed until the safety case has to be completed. Furthermore, the scope of the safety management processes tends to be reduced to what needs to be captured in the safety case. Instead of a push relation (safety management is summarised in the safety case) we often see a pull relation (the summarising safety case reduces the scope of the safety management processes). In summary, the set-up of the safety cases determines scope and timing of safety management work.

This too strong focus on the safety cases (at the cost of the safety management) process is seen both at supplier’s and at customer’s side. Partly because of contractual reasons discussions between customer and supplier tend to concentrate on the delivery of safety cases that are positively assessed by an ISA. Then it is sometimes up to the ISA to proactively request and inspect evidences that must be produced during the life cycle of the project.

The paper describes the situation just sketched in more detail and outlines a solution. In essence the solution is to clearly separate safety management from the delivery of safety cases. As Wim Coenraad wrote in 2009 on behalf of the International Technical Committee of the IRSE (in “Towards the one page safety case: less paper and more assurance”): “any project, any supplier that applies the systems- and safety assurance processes that are now the norm in our industry […] should not need more than ten pages and two weeks [for a safety case] to explain all that and convince their Independent Safety Assessor (ISA)”. In other words safety management is the central, continuous and controlled activity; safety cases are just a by-product, a snap-shot of that activity.