Resilience markers for safer systems and organisations

If computer systems are to be designed to foster resilient performance it is important to be able to identify contributors to resilience. The emerging practice of Resilience Engineering has identified that people are still a primary source of resilience, and that the design of distributed systems should provide ways of helping people and organisations to cope with complexity. Although resilience has been identified as a desired property, researchers and practitioners do not have a clear understanding of what manifestations of resilience look like. This paper discusses some examples of strategies that people can adopt that improve the resilience of a system. Critically, analysis reveals that the generation of these strategies is only possible if the system facilitates them. As an example, this paper discusses practices, such as reflection, that are known to encourage resilient behavior in people. Reflection allows systems to better prepare for oncoming demands. We show that contributors to the practice of reflection manifest themselves at different levels of abstraction: from individual strategies to practices in, for example, control room environments. The analysis of interaction at these levels enables resilient properties of a system to be ‘seen’, so that systems can be designed to explicitly support them. We then present an analysis of resilience at an organisational level within the nuclear domain. This highlights some of the challenges facing the Resilience Engineering approach and the need for using a collective language to articulate knowledge of resilient practices across domains

Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS - a collection of Technical Notes Part 1

This report provides an introduction and overview of the Technical Topic Notes (TTNs) produced in the Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS (Tigars) project. These notes aim to support the development and evaluation of autonomous vehicles. Part 1 addresses: Assurance-overview and issues, Resilience and Safety Requirements, Open Systems Perspective and Formal Verification and Static Analysis of ML Systems. Part 2: Simulation and Dynamic Testing, Defence in Depth and Diversity, Security-Informed Safety Analysis, Standards and Guidelines

ATM automation: guidance on human technology integration

© Civil Aviation Authority 2016Human interaction with technology and automation is a key area of interest to industry and safety regulators alike. In February 2014, a joint CAA/industry workshop considered perspectives on present and future implementation of advanced automated systems. The conclusion was that whilst no additional regulation was necessary, guidance material for industry and regulators was required. Development of this guidance document was completed in 2015 by a working group consisting of CAA, UK industry, academia and industry associations (see Appendix B). This enabled a collaborative approach to be taken, and for regulatory, industry, and workforce perspectives to be collectively considered and addressed. The processes used in developing this guidance included: review of the themes identified from the February 2014 CAA/industry workshop1; review of academic papers, textbooks on automation, incidents and accidents involving automation; identification of key safety issues associated with automated systems; analysis of current and emerging ATM regulatory requirements and guidance material; presentation of emerging findings for critical review at UK and European aviation safety conferences. In December 2015, a workshop of senior management from project partner organisations reviewed the findings and proposals. EASA were briefed on the project before its commencement, and Eurocontrol contributed through membership of the Working Group.Final Published versio

Evaluation of A Resilience Embedded System Using Probabilistic Model-Checking

If a Micro Processor Unit (MPU) receives an external electric signal as noise, the system function will freeze or malfunction easily. A new resilience strategy is implemented in order to reset the MPU automatically and stop the MPU from freezing or malfunctioning. The technique is useful for embedded systems which work in non-human environments. However, evaluating resilience strategies is difficult because their effectiveness depends on numerous, complex, interacting factors. In this paper, we use probabilistic model checking to evaluate the embedded systems installed with the above mentioned new resilience strategy. Qualitative evaluations are implemented with 6 PCTL formulas, and quantitative evaluations use two kinds of evaluation. One is system failure reduction, and the other is ADT (Average Down Time), the industry standard. Our work demonstrates the benefits brought by the resilience strategy. Experimental results indicate that our evaluation is cost-effective and reliable.Comment: In Proceedings ESSS 2014, arXiv:1405.055

Failure is an option:an innovative engineering curriculum

PurposeAdvancements and innovation in engineering design are based on learning from previous failures but students are encouraged to ‘succeed’ first time and hence can avoid learning from failure in practice. The purpose of the study was to design and evaluate a curriculum to help engineering design students to learn from failure.Design/Methodology/ApproachA new curriculum design provided a case study for evaluating the effects of incorporating learning from failure within a civil engineering course. An analysis of the changes in course output was undertaken in relation to graduate destination data covering 2006 to 2016 and student satisfaction from 2012 to 2017 and a number of challenges and solutions for curriculum designers were identified.FindingsThe design and delivery of an innovative curriculum, within typical constraints, can provide opportunities for students to develop resilience to failure as an integral part of their learning in order to think creatively and develop novel engineering solutions. The key issues identified were: the selection of appropriate teaching methods, creating an environment for exploratory learning, group and team assessments with competitive elements where practicable, and providing students with many different pedagogical approaches to produce a quality learning experience.OriginalityThis case study demonstrates how to design and implement an innovative curriculum that can produce positive benefits of learning from failure. This model can be applied to other disciplines such as building surveying and construction management. This approach underpins the development of skills necessary in the educational experience to develop as a professional building pathologist

Air Traffic Management Safety Challenges

The primary goal of the Air Traffic Management (ATM) system is to control accident risk. ATM safety has improved over the decades for many reasons, from better equipment to additional safety defences. But ATM safety targets, improving on current performance, are now extremely demanding. Safety analysts and aviation decision-makers have to make safety assessments based on statistically incomplete evidence. If future risks cannot be estimated with precision, then how is safety to be assured with traffic growth and operational/technical changes? What are the design implications for the USA’s ‘Next Generation Air Transportation System’ (NextGen) and Europe’s Single European Sky ATM Research Programme (SESAR)? ATM accident precursors arise from (eg) pilot/controller workload, miscommunication, and lack of upto- date information. Can these accident precursors confidently be ‘designed out’ by (eg) better system knowledge across ATM participants, automatic safety checks, and machine rather than voice communication? Future potentially hazardous situations could be as ‘messy’ in system terms as the Überlingen mid-air collision. Are ATM safety regulation policies fit for purpose: is it more and more difficult to innovate, to introduce new technologies and novel operational concepts? Must regulators be more active, eg more inspections and monitoring of real operational and organisational practices