Analysis Design and Validation of Interactive
Safety-critical and Error-tolerant Systems Tutorial on

Causal Analysis for Incident and Accident Investigation

Chris Johnson, University of Glasgow.

09.00-16.00, June 17th 2003, Venue: the Senate Room, Main Building, University of Glasgow.

| Advises Home Page? | Research Training Networks? | Jobs & Studentships? | Members only (password needed) | Full tutorial programme |

Human operators play diverse roles in accidents and incidents. They can act to provide the catalyst that triggers an adverse event, for instance by issuing an 'incorrect' command. They can also act to create the context in which an accident is more likely, for instance by failing to manage the development of an appropriate safety culture. Human operators also play a role in mitigating the consequences of adverse events, for example by detecting and responding to an incident before it develops into a more serious accident. Many different techniques can be used to represent and reason about the human contribution to incidents and accidents. This tutorial will provide an overview of these techniques.

Most investigation techniques have been developed to support the analysis of adverse events in a broad range of industrial applications. We will, therefore, provide more detailed experience in the application of two techniques that have been specifically designed to support the analysis of computer-related incidents.

STAMP was developed by Prof. Nancy Leveson at MIT. It relies upon a control model of the systems involved in an accident or incident. This is then inspected to identify violations in the constraints that are intended to hold between system components. In contrast, the second approach has been developed in conjunction with the UK Health and Safety Executive. PARCEL (Programmable systems Analysis for Root Causes and Experience based Learning) identifies failures in the application of lifecycle requirements within development standards, such as IEC61508. This not only helps to inform subsequent development but can also provide feedback on situations where safety-critical standards fail to support the operators and suppliers of interactive systems.

The reason for focusing on these two techniques is that neither explicitly supports the analysis of incidents involving interactive systems of the type considered within the rest of the ADVISES programme. It is hoped that participants might, therefore, contribute to the subsequent development of these tools.

Recommended reading: Tutorial notes:

Photographs from the tutorial... (thanks to Floor Koornneef for taking them).

This tutorial is free and open to people outside the training network. However, you must register before the event. Here is a list of local hotels. Places will be allocated on a first-come, first-served basis. For more information contact:

Prof. Chris Johnson,
Dept. of Computing Science, Univ. of Glasgow, Glasgow, G12 8QQ, Scotland.
Tel: +44 141 330 6053, Fax: +44 141 330 4913,