Chris Johnson's Research Projects

This page present an overview of my government funded research projects. I do not maintain a page for commercial projects. Please let me know if you would like any additional information about this work. Please refer to my home page for information about industrial contracts and training resources. Please refer to my papers for more complete publication lists.


CINIF/EDF Forensic Analysis of SCADA Devices and Smart Sensors for the UK Civil Nuclear Sector (Phase Three)

US Navy (Office of Naval Research) and the Federal Aviaiton Administration: Integrating Safety and Cyber-Security in Network Monitoring (Follow on)

Singapore Government, 8th Translational R&D and Innovation FUnd (TIF), Epsilon: End to End Protection for Smart Metering Communications Infrastructure within a Local Field Area Network


Scottish Informatics and Computer Science Alliance

CINIF/EDF Forensic Analysis of SCADA Devices and Smart Sensors for the UK Civil Nuclear Sector (Phase Two)

US Navy (Office of Naval Research) and the Federal Aviation Administration: Integrating Safety and Cyber-Security in Network Monitoring


CINIF/EDF Forensic Analysis of SCADA Devices and Smart Sensors for the UK Civil Nuclear Sector (Phase One)

United Nations, Centre of Excellence in the Cyber Security of Chemical, Biological, Radiological and Nuclear Facilities Across Member States


EU EATS project supporting the European Train Control System (ETCS).


European Network and Information Security Agency, Auditing, Incident Reporting Framework and Cyber-Security Strategies


G2014: Games Planning Model as a Living Legacy for the Governance and Implementation of Security Planning for a Sporting Event
European Commission

European Railways Agency: Facilitating the Use of New Approaches in Accident Investigation by National Investigatory Bodies

Strathclyde Police and Scottish Resilience: Social Media to Support Contingency Planning.


EPSRC: EP/1004289/1: Validation of the USAF 8-Step Problem Solving Technique for Software Configuration Management (with Support from NASA, ESA and USAF)

European Railways Agency: A Strategy and Framework for Training European Railway Accident Investigators


EPSRC: G026076/1: Evaluation of Prevention and Protection Activities on Commercial, Public and Heritage Buildings


European Railways Agency: Techniques for Improving Accident and Incident Investigation


BAe Systems CASE Award: Simulating Crowd Responses to Improvised Explosive Devices (IEDs)


US Air Force: Longitudinal Study of US Aviation Accidents (1986-2006)


EC ADVISES Research Training Network


Learning from Incidents Involving Electronic/Programmable Electronic Systems

NASA/ICASE Research `Fellowship' on Mishap Investigation


Elaboration of Guidelines for Air Traffic Management Occurence Reporting

Equator: EPSRC Interdisciplinary Research Centre


Communication of Knowledge (about Accidents) from Synthesised Web Sites


Paraglyde: Mobile Information Resources for Anaesthetists

Linking User and System Models to Analyse the Causes of Major Accidents

Principles For The Use Of Formal Notations During Accident Investigations

Temporal And Graphical Primitives For Declarative Graphics: Closing The Gap Between Internal Data Structures And Display Objects

Exploiting Utility And Risk Assessments During The Design of Human-Machine Interfaces

Temporal Aspects of Usability

Using Formal Methods To Derive Requirements From Accident Analyses

European Train Control System - Advanced Testing and Smart Train Positioning System (FP7-TRANSPORT-314219)

For more information, see the project web pages

Currently European Train Control System (ETCS) rollout is a major concern for train manufacturers and railway infrastructure managers. Equipment for ETCS level 1 and 2 typically follows a long process before being put into service due to two main reasons. First, there are interpretation variations in the specification of the systems' behaviour. And second, available laboratory certification procedures do not completely address all the needs of the system and require long and expensive field-testing. On the other hand, migration from ETCS level 2 to level 3, which maximizes the railway efficiency, has not been yet foreseen due to the technical constraints that current GNSS solutions, based on GPS and EGNOS, can not overcome. In this context, EATS project has the objective to address the two previously described situations. On one hand, it will progress beyond the state of the art providing a model of the complete on-board ERTMS system behaviour to eliminate interpretation differences, and will include in the laboratory new tools to include the dynamic behaviour of the wireless interfaces and fault injection techniques in the external and internal interfaces for the safety assessment. This will lead to reduced laboratory and field-testing certification process time and cost. In the current economic situation, this is crucial in order to keep the ETCS deployment speed.

The Glasgow work focuses on the reliability, safety and security concerns within the project.

European Network and Information Security Agency, Auditing, Incident Reporting Framework and Cyber-Security Strategies (ENISA P/28/11/TCD)

ENISA, the European Network and Information Security Agency, is engaged in several activities with the ultimate objective to collectively evaluate and improve the resiliency of public eCommunication Network and Services in Europe. In particular, this project supports the implementation of Article 13a of Directive 2009/140/EC of the European Parliament. This calls on member states to ensure that providers of public telecommunication networks and services take appropriate security measures and that these providers notify the competent regulatory authorities of a breach of security or a loss of integrity that have had a significant impact on the operation of networks and services. We will develop an architecture for a Cyber Incident Reporting and Analysis System (CIRAS) that extends ‘leading practice’ to enable reporting by member states at different levels of infrastructure security maturity. The focus is on supporting National Regulatory Agencies (NRAs) to submit annual summary reports about cyber security incidents and also to contribute information on an ad hoc basis, for instance where incidents have cross-border implications. The overall aim is to support ENISA and the NRAs to meet the provisions of Article 13a and the implementing framework developed in 13b. It must, therefore, be possible for ENISA to store, manage and analyse patterns across the incidents that are recorded within the CIRAS architecture. This project builds on ‘world leading’ research in incident and accident reporting.

European Railway Agency: Facilitating the Use of New Approaches in Accident Investigation by National Investigatory Bodies (2011-2012)

In previous projects, we worked with the European Railway Agency and representatives from the National Investigatory Bodies (NIBs) to recommend a number of different accident models that encourage consistency across member states at different levels of safety maturity. This project builds on the expertise developed during the previous work by facilitating the integration of these new methods into the existing good practices currently applied by NIBs. The objectives are to retain the valuable and pragmatic approaches that are already being used by many NIBs, while at the same time promoting innovation and consistency following the Railway Safety Directive (2004/49/EC). The proposal draws upon our unique experience of working for the European Commission in promoting advanced investigatory practices across member states as part of their Strategic Safety Action Plan. This has involved working with investigators to introduce new methods, tools and techniques in more than a dozen member states, including Estonia, Germany, Ireland, Malta, Netherlands, Norway, Portugal, Slovenia, Spain and the UK. In particular, this project has developed a template to assist ERA staff in interviewing investigators across Europe to identify leading practices.

EPSRC EP/1004289/1: Methods for Configuration Management in Safety-Critical Software

This project focussed on the configuration and integration of safety-critical code developed by many different organisations in space-based applications. Configuration management is particularly important in this context because of the increasing need to integrate commercial space operations into the missions developed by NASA and the European Space Agency (ESA). The travel funds supported trips to the NASA Johnson Space Centre and to US Air Force Space Command. It also funded shorter trips to analyse the integration of Satellite Based Augmentation Systems into the next generation of European railway signalling systems. Our work helped to reduce the risks that software failures pose for manned and unmanned systems. We worked with NASA’s engineers and their contractors to consider the challenges posed by the rise of commercial space flight and the end of Shuttle missions. Our techniques supported configuration management for software across multiple platforms. This is of critical importance – for instance, on 2nd March 2011 the International Space Station (ISS) networks simultaneously hosted Europe's ATV, HTV, Russia's Soyuz and Progress and the US Shuttle Discovery. We worked with NASA's International Space Station team to consider the challenges that this creates, especially for future missions when these platforms will be joined by commercial vehicles such as those being developed by SpaceX. The consequences of software failures were reinforced by a joint study with NASA engineers into the problems that led to the simultaneous failure of all six Russian ISS central and terminal computers during mission STS-117.

The reliability of space-based software is critical for the safety of astronauts and cosmonauts onboard the International Space Station. However, satellite systems also provide location and timing data to a host of national critical infrastructures, including the electricity distribution grid, as well as mass market navigation systems. The importance of these systems is likely to increase with the certification of the EGNOS Safety of Life service. The European Commission and ESA have developed this infrastructure to extend the use of GPS to safety-critical systems. Using EGNOS, it is possible to derive estimates of the accuracy of a signal, to estimate the delay before any errors are detected and also to provide guarantees about coverage. In practical terms, EGNOS supports the use of satellite signals to guide aircraft during precision approaches to runways in areas that would not otherwise be able to afford the necessary ground based systems. It can also increase the capacity of railway systems by reducing the space between trains, based on knowledge of the exact location and speed of each locomotive on the network. In this project, we worked with the teams that designed the EGNOS software infrastructures. We developed a range of techniques that enable engineers to communicate the safety arguments that support these systems. In particular, these approaches are intended to help other software developers who are more interested in using the satellite-based signals than they are in understanding the detailed infrastructures. The same techniques can also be used when engineers are not permitted to access the underlying engineering details for commercial or security reasons.

Towards the end of this project, we responded to recent concerns about the vulnerability of satellite based systems. A recent Royal Academy of Engineering report (Thomas, 2011) identified numerous threats to national systems that rely on satellite navigation and timing data. With support from NASA, ESA, the US Air Force and by companies in the UK and Europe we were able to identify the potential impact that security threats might have on the safety arguments that support the latest generation of space-based, critical infrastructures.

European Railway Agency: A Strategy and Framework for Training European Railway Accident Investigators (2010-2011)

This project provided a framework for the training of European Railway Accident Investigators that can be used at different levels of maturity across a European syllabus. We developed an architecture for structuring training materials and delivering content. We also presented two case studies in the application of this framework – one for an introductory module in the principles of railway accident investigation and the second an advanced module on human factors in railway accidents. Three high-level recommendations were made.
Recommendation 1: ERA should develop a web site that catalogues the existing training materials that could be shared between different NIBs. This web site could be structured using the modules identified in Su-Doc5. This will help to facilitate the sharing and re-use that is a principle objective of the framework advocated in this project.
Recommendation 2: ERA should build on the previous recommendation by identifying elements of Su-Doc 5 that are not presently covered by existing training courses. They should also provide a mechanism for alerting NIBs to other areas where costs could be shared by the cooperative development of training materials.
Recommendation 3: Future ERA projects may develop common assessment forms that could be re-used between member states to provide common feedback on the utility of training materials.

The project also provided a high-level contract for the further development of course materials to support investigator training across member states.

European Railway Agency: Techniques for Improving Accident and Incident Investigation (2008-2009)

The Directive 2004/49/EC of the European Parliament and of the Council of 29 April 2004 on safety on the Community’s railways, establishes the conditions to ensure a high level of railway safety and equal conditions for all railway undertakings. To achieve this goal, every Member State must create a safety authority and an accident investigation body. In order to avoid recurrence and, where possible, to improve railway safety, this accident investigation body should investigate all serious accidents on the railway. These investigation bodies shall, herein supported by the European Railway Agency, also conduct an active exchange of views and experience for the purpose of developing common investigation methods, drawing up common principles for follow-up of safety recommendations and adaptation to the development of technical and scientific progress. To be able to fulfil this task and to provide structured and useful guidance to the network of National Investigation Bodies, the European Railway Agency needs an inventory of occurrence investigation methods and techniques both within as outside the railway industry. This project evaluated more than 100 tools and techyniques for incident and accident investigation against a range of crtieria provided by ERA. It then developed a white paper for the integration of more advanced techniques into national investigatory bodies. Further deliverables summarised short-term and long termn requirements for progress in this area across member states. This is important because we can identify some objectives that require further work before they could be supported by appropriate tools. For example, a requirement to analyse the ‘safety culture’ of organisations involved in an accident is a longer term goal because there is considerable disagreement over the meaning of this term and also over appropriate metrics for the rail industry. In contrast, a requirement to build upon existing skills and expertise within an NIB is a short term requirement for the acceptance of any approach. We also consider the coverage of both short term and long term requirements for tools against the different stages of the ERA generic occurrence investigation process model.

US Air Force: Longitudinal Study of US Aviation Accidents (1986-2006)

This grant was made by the European Research Office of the US Air Force and built on initial funding from them for a Workshop on Complexity in Design and Engineering. In contrast, this project was based around a long term collaboration with Michael Holloway at NASA Langley's Research Center. The key objectives were to extend an initial analysis of the causes of aviation accidents documented in NTSB reports. Previous papers had looked narrowly at more recent reports. This study used historical archives to look for longer term trends back to 1986. The aim was to determine whether it was possible to identify any 'bias' towards blaming accidents on either individual human error or on organisational/ regulatory factors.

Analysis Design and Validation of Interactive Safety-critical and Error-tolerant Systems

I am coordinator of the European Commission's ADVISES Research Training Network. This bring together researchers from seven European countries in a three year project to exchange techniques between human factors and human computer interaction for safety-critical systems. Here is the project home page.

The engineering of interactive, safety-critical systems is an inter-disciplinary endeavour. This creates a number of practical problems for many different industries. Organisations must integrate techniques and methods for many different disciplines. These range from hardware engineering through to human factors and management. The difficulty of achieving such integration stems in part from a mutual ignorance about these complementary disciplines, in part from a lack of methods in certain areas and in part from a failure to effectively integrate existing methods and techniques. We believe that the only way to solve such a problem is to have a tight integration of research contributions from all the disciplines relevant to the problem, namely:

This partners in this research and training network have recognised expertise in each of the areas mentioned above. Our main objective is to provide a multi-disciplinary research training that can combat the impact of human error during the design, operation and management of safety-critical, interactive systems. Additionally, the exchange of knowledge, practices, tools and experience between adjacent (but still too distinct) disciplines can lead to the efficient integration of complementary research methods. Ultimately, it is hoped that this will contribute to a new and more unified research agenda for the developmentof safety-critical, interactive systems.

Learning from Incidents Involving Electronic/Programmable Electronic Systems

HSE/Adelard Project

IEC 61508 is a key stanbdard for both industry and the UK Health and Safety Executive. It sets out the requirements for E/E/PES systems within a generic framework that defines the safety lifecycle and safety management activities that should be followed. One of these requirements is to learn from the experience of previous failures. In this project jointly organised between the HSE, Adelard and Bill Black consulting wer are first interviewing the suppliers and users of electronic programmable systems to identify any existing incident reporting systems. Based on the information gained from this elicitation system we will prepare draft national guidelines for the development of such reporting systems so that other companies can benefit from the experience of other operators in this area.

NASA/ICASE Research `Fellowship' in Mishap Investigation

NASA Langley Research Centre Project

NASA operates several different mishap reporting systems. These range from local applications that are operated by staff in each centre through to the NASA Safety Reporting System that operates across all facilities. This fellowship will investigation techniques to support these and other forms of mishap reporting within NASA. The first strand of work involved a comparative evaluation of mishap investigation and analysis techniques. We focussed on lifecycle support throughout the course of an investigation. The second strand of research was more technical in nature and involved an analysis of the problems that material implication can create when mathematical, logic formalisms are used to reason about causation. The third strand of research involved two independent analysts using Leveson's STAMP methodology to analyse the causes of the SOHO mission interruption.

Elaboration of Guidelines for Air Traffic Management Occurence Reporting


This project is intended to help Air Traffic Management (ATM) providers implement and maintain mandatory and voluntary occurrence reporting systems. The output of this project will be a detailed set of guidelines that European ATM providers can use to achieve the objectives set by EUORCONTROL's ESARR2 requirements. Our work focusses on a number of generic phases that are common across many existing incident reporting systems. Occurrence detection and notification is followed by data acquisition. Data acquisition is followed by occurrence reconstruction. Occurrence reconstruction, in turn is followed by incident analysis and criticality assessment. Finally, the lessons that can be learnt from an occurrence are fed back to personnel and regulators. Each of these phases is considered in turn and a number of recommended practices are identified.

Equator: EPSRC Interdisciplinary Research Centre

UK EPSRC Grant No.

The Equator project is an an EPSRC Interdisciplinary Research Centre involving eight UK academic institutions. The intention is to look beyond existing means of interacting with computing applications. In particular, we wish to exploit mobile and context aware technologies to tailor the presentation of information to users' changing needs. We are focussing on presenting information about museum artefacts, city spaces, elements of fictional narratives, and objects inside 'virtual world' models of cities and towns. The project web site should be available shortly on Matthew Chalmers coordinates the Glasgow involvement in Equator.

Communication of Knowledge (about Accidents) from Synthesised Web Sites

UK EPSRC Grant No. GR/M98302

Web sites are increasingly replacing the dissemination of accident reports through conventional, paper-based documents. Unfortunately, most investigation authorities have insufficient resources to best exploit the visualisation and presentation opportunities of the new media. They simply provide electronic versions of the text-based document. Occasionally hypertext links are provided within single reports. There are, as yet, no on-line examples of accident reports that contain hypertext links between incidents. This is a significant limitation because many people have argued that designers must have a clear understanding of common causes between multiple failure if they are to prevent future accident and incidents. This proposal is predicated on the idea that it is practical to separate, formally, the information content of Web sites from their presentational form and to derive content via automated synthesis. This approach can yield reduced costs and new opportunities to improve the presentation of electronic accident reports.

Chris Johnson,
Department of Computing Science, University of Glasgow.

Dave Robertson (1), John Lee (2), Corin Gurr (2),
(1) Division of Informatics, (2) Human Communication Research Centre, University of Edinburgh., {john, corin}

Paraglyde: Mobile Information Resources for Anaesthetists

UK EPSRC Grant No. GR/M53059

This project is using infra-red and wavelan connections to provide anaesthetists with updated information about their patients as they move around a hospital. In particular, we are focussing on providing integrated support for information retrieval during pre-operative assessments and post-operative care. At the moment, the project team are engaged in a detailed requirements elicitation exercise involving anaesthetists from several local hospitals. For more information, see the project web site.

Martin Gardiner, Phil Gray and Chris Johnson,
Department of Computing Science, University of Glasgow.

Linking User and System Models to Analyse the Causes of Major Accidents

UK EPSRC Grant No. GR/L27800

Summary of the final report

A number of techniques might be used to reason about the causes of operator 'err or' during disasters. For instance, user models have been developed to represe nt the cognitive and perceptual features that characterise interaction with comp lex systems (Duke, Barnard, Duce and May, 1995). Unfortunately, these models lack some of the precision that is required during a ccident enquiries that have both legal and regulatory consequences. In contras t, epistemic logics have been proposed as a precise and concise means of represe nting an individual's beliefs over time (Fagin, Halpern, Moses and Vardi, 1995). The innovative idea behind this proposal is that epistemic logics provide a l ink between the formal methods of systems engineering and the user models that h ave been developed in cognitive psychology. No previous attempts have been made to exploit this link or to apply epistemic l ogics to support accident investigations.

Chris Johnson
Department of Computing Science, University of Glasgow.

Principles For The Use Of Formal Notations During Accident Investigations

UK EPSRC Grant No. GR/K55042

Summary of the final report

Accident reports are intended to ensure that the faults of previous systems are not propagated into future applications. They contain the analysis of many different experts: human factors specialists; control engineers; meteorologists etc. Unfortunately, the insights of these investigators are typically separated into chapters that reflect the concerns and expertise of their authors. This separation creates a number of problems. For instance, critical incidents in one analysis may not appear in other chapter s. This makes it difficult to accurately trace the complex interactions that lead t o major accidents. This can obscure the fundamental causes of an accident This project exploits temporal logic to address the problems described above. A formal notation will be used to represent the events leading to major accidents. Executable temporal logics will then be used to animate the formal descriptions. The resulting simulations are intended to provide a focus for further analysis by the various groups involved in accident analyses. The innovative task in this proposal is to move from my previous analytical application of formal methods to develop constructive techniques that support th e production of accident reports.

Chris Johnson
Department of Computing Science, University of Glasgow.

Temporal And Graphical Primitives For Declarative Graphics: Closing The Gap Between Internal Data Structures And Display Objects

UK EPSRC Grant No. GR/K69148

Summary of final report.

The generation of complex images requires high levels of skill and expertise. This is partly due to the fact that most graphics programming languages rely upon procedural implementation techniques. Such approaches are far from ideal; programmers must maintain a number of internal data structures in addition to the generating procedures in order to represent the attributes of display objects. An attractive alternative is to take a declarative approach; such as object orientation, functional programming and executable logic. Programmers can construct images in a declarative style without referring to low level sequences of instructions. These approaches simplify the relationship between display objects and their internal representation because there is no distinction between the structures that are used to generate an image and those that are used to record its other attributes.

Unfortunately, many declarative systems force programmers to rely upon an arbitrary set of mechanisms, such as assert and retract or pipeline objects, to implement changes in an image. These features complicate the relationship between the objects on the screen and the internal data structures. This, in turn, increases the burdens upon graphics programmers. I have developed the Prelog environment to avoid this problem. Temporal logic operators minimise the additional data structures that programmers must maintain in order to animate declarative images. Previous work has demonstrated the feasibility of the approach. The innovative task of this proposal is now to develop appropriate graphical and temporal primitives that support general purpose, declarative, graphics programming languages.

Chris Johnson
Department of Computing Science, University of Glasgow.

Temporal Aspects of Usability

UK Joint Council Initiative in HCI and Cognitive Science, Grant No. 9201233
Temporal properties of interaction have a profound impact upon the usability of human computer interfaces. Delays in response time can lead to frustration and error. The simultaneous presentation of many different pieces of information imposes heavy demands upon the cognitive and perceptual resources of system operators. These problems have been investigated by a number of recent research initiatives. Unfortunately, it has been difficult to replicate the results that have been obtained from experimental investigations. This creates significant problems for designers if these results are to guide the future development of interactive systems. The TAU project was set up in 1992 to address the problems of replicating and validating empirical results for temporal usability problems. The project has involved a multi-disciplinary team. Its focus is to develop a simulation environment that would support experimental investigations. This system provides a stable vehicle that could be used by many different research groups. This supports the replication of experimental conditions by avoiding the ad hoc development of many different pieces of software in each of the labs that are investigating this area.

David England, Phil Gray, Steve McGowan, Chris Johnson
Department of Computing Science, University of Glasgow.

Steve Draper and Paddy O'Donnel
Department of Psychology, University of Glasgow.

Exploiting Utility And Risk Assessments During The Design of Human-Machine Interfaces

UK EPSRC Grant No. GR/J07686
Operator error has been cited as a contributory factor in many recent accidents. It is, therefore, surprising that so little work has been done into the integration of human factors techniques within traditional systems engineering. This project is addressing this short-coming. We are investigating ways in which the products of probabilistic risk assessments can be used to guide and inform the development of human-machine interfaces to safety-critical systems. In particular, we have developed formal specification techniques that can be used to represent and then simulate critical traces of interaction with complex application processes.

Chris Johnson
Department of Computing Science, University of Glasgow.

Michael Harrison and Andy Dearden
Department of Computing Science, University of York.

Using Formal Methods To Derive Requirements From Accident Analyses

EOLAS/British Council Grant No. 9284
Accident reports are intended to ensure that failures do not recur. They contain the analysis of many different experts, including human factors and systems engineers. The insights of these investigators are often separated into chapters that reflect the particular concerns and expertise of their authors. Such a separation often makes it difficult for readers to trace the ways in which human and system `failures' combine to create the necessary conditions for an accident. This project is exploiting mathematically based modelling techniques to overcome this problem. It is hypothesised that the application of formal notations can be extended from the domain of systems engineering in order to represent the findings of human factors analyses. In particular, it is argued that Timed Petri Nets can be used to represent and reason about the concurrent behaviour of multiple operators and their systems. Tool support can be recruited to validate the resulting nets. The sequences of events leading to an accident can be simulated and shown to human factors and systems engineers. This, in turn, may elicit further observations about the causes of an accident. A near collision analysed by the U.K. Department of Transport's Air Accident Investigations Branch (AAIB) are being used in order to evaluate this approach.

Chris Johnson
Department of Computing Science, University of Glasgow.

Peter Wright
British Aerospace's Dependable Computing Systems Centre,
Department of Computing Science, University of York.

John McCarthy
Applied Psychology Unit, University College Cork, Ireland.

General Information

This page present an overview of my recent research projects. Please let me know if you would like any additional information about this work.

Chris Johnson -