Page 330 -
P. 330
12.2 Safety specification 313
The IEC standard for safety management
The IEC (International Electrotechnical Commission) has defined a standard for safety management for
protection systems (i.e., systems that are intended to trigger safeguards when some dangerous situation arises).
An example of a protection system is a system that automatically stops a train if it goes through a red signal.
This standard includes extensive guidance on the process of safety specification.
http://www.SoftwareEngineering-9.com/Web/SafetyLifeCycle/
12.2 Safety specification
Safety-critical systems are systems in which failures may affect the environment of
the system and cause injury or death to the people in that environment. The principal
concern of safety specification is to identify requirements that will minimize the
probability that such system failures will occur. Safety requirements are primarily
protection requirements and are not concerned with normal system operation. They
may specify that the system should be shut down so that safety is maintained. In
deriving safety requirements, you therefore need to find an acceptable balance
between safety and functionality and avoid overprotection. There is no point in
building a very safe system if it does not operate in a cost-effective way.
Recall from the discussion in Chapter 10 that safety-critical systems use a spe-
cialized terminology where a hazard is something that could (but need not) result in
death or injury to a person, and a risk is the probability that the system will enter
a hazardous state. Therefore safety specification is usually focused on the hazards
that may arise in a given situation, and the events that can lead to these hazards.
The activities in the general risk-based specification process, shown in Figure 12.1,
map onto the safety specification process as follows:
1. Risk identification In safety specification, this is the hazard identification
process that identifies hazards that may threaten the system.
2. Risk analysis This is a process of hazard assessment to decide which hazards are
the most dangerous and/or the most likely to occur. These should be prioritized
when deriving safety requirements.
3. Risk decomposition This process is concerned with discovering the events that
can lead to the occurrence of a hazard. In safety specification, the process is
known as hazard analysis.
4. Risk reduction This process is based on the outcome of hazard analysis and
leads to identification of safety requirements. These may be concerned with
ensuring that a hazard does not arise or lead to an accident or that if an accident
does occur, the associated damage is minimized.
