Diagrams are Views of the Model
The Diametric Safety Case Manager (DSM) is first and foremost a modelling tool. Most work in the DSM is done using diagrams, but these diagrams are just a representation of an underlying model. An entity such as a Goal or a Hazard can appear on several diagrams, but these are all views of a single entity; if it is changed then all the diagrams where it appears will be updated.
Goal Structuring Notation
GSN is a graphical notation for representing complex arguments linked to evidence. Here is an example argument drawn using the DSM.
The rectangular boxes labelled with “G” are “Goals”; the things that the argument seeks to demonstrate. Goals are linked into a hierarchy by “Support” arrows. The diamond “S2.1” is a “Strategy” which explains how the goals below it add up to the goal it supports. The circles are “Solutions”; the bottom level of the argument.
The boxes below the solutions are evidence items. This is an extension to the GSN standard to allow the GSN solutions to be linked to actual evidence items. We have found that in practice GSN solutions do not have a 1:1 relationship to the actual evidence. Sometimes the evidence for a particular solution is a section within a document, such as the timing requirements within a larger requirements document. Other times the evidence consists of several documents, such as a set of designs. Hence we have introduced “trace” arrows (the dashed lines) which can link generic solutions to the actual evidence.
The DSM supports bow-tie diagrams as a notation for describing hazards. As with GSN diagrams these diagrams are representations of an underlying model, and it is this model which is the real advantage of the DSM.
Conventional hazard logs are created using tables or forms. This leads to duplication when mitigations or causal factors overlap. The DSM treats the hazard log as a model consisting of events, hazards and controls linked by threat lines. As with GSN, a single entity can appear on several different diagrams, but it remains a single entity.
This diagram shows the events which could lead to a passenger falling out of a moving train. The yellow box at the top is the Hazard: the dangerous situation. Gray boxes linked by solid lines are events: circumstances which might occur during operation. The green boxes are controls: factors within the system which will reduce the probability or severity of a mishap.
The event “Door opens when under way” is the “top event”; the point where control of the system is lost. Events on the left are causal factors leading up to the top event, while the event on the right (“Passenger injury“) is an accident that can result.
Events are also linked to controls to indicate that they can prevent the control from operating. For instance the control “Emergency Switch” shows that one possible way in which the system can avert an accident is for a passenger to pull the emergency switch to notify the driver. However emergency switches also carry notices of the legal penalties for misuse, and this might prevent a passenger from pulling the switch.
As with GSN diagrams, controls can be traced to evidence that they will work. The evidence can either be actual documents, or they can be GSN goals where a more complicated argument is needed.
Bow tie diagrams are most useful for providing high-level analysis of hazards. Where a more detailed engineering analysis of failure modes and mechanisms is required the DSM also provides a notation to directly link cause and effect using a state machine notation similar to petri nets. Here is an example:
This shows the detailed failure modes of the movement sensor which forms part of the interlock system mentioned in the bow tie diagram above. The oval boxes are states and the slanted boxes are events which can lead to state transitions. The diamond in the centre is a conditional state, which in this case is true if any of its input states are true.
In the future we plan to add numerical modelling to this notation so that reliability figures can be extracted in a way similar to fault trees.