Safety Information Management is a complex and difficult task.
Developing a safety-critical system requires managing large quantities of information describing the system’s hazards, risks and safety features. “SafeML” is a new modeling language Geoffrey Biggs from AIST created to make it easier to manage safety information.
Geoffrey Biggs – Robot innovation researcher at AIST, Japan
His research straddles the related areas of software development tools, processes, and architectures, and development of safety-critical systems (specifically, service robots). See his profile, research, publications and more
So now I’m going onto part2 where I’m going to talk about SafeML specifically.
This slide shows a single diagram from very large sample model of a robot wheelchair.
So, the goal of this robot is to safely convey users around the town. This one diagram shows all the safety information related to one particular hazard present when using the robot wheelchair, and it includes also the function of safety features that protect against that hazard. This is sort of view of a model that a safety engineer might use when creating a safety model.
So on next slide, I have extracted just one part of that diagram to show the safety information relating directly to the hazard itself.
This shows that hazard in the top left and the harm that it may cause in bottom left. Connecting those is what we call “HarmContext” which is a special association class.
This harm context defines the hazardous situation where the hazardous event has to occur for the hazard to cause harm. This is because of SafeML, hazards are always present but harms are only caused under specific circumstances.
So now I am going to explain what I mean by all these terms which are: “Hazard, harms and contexts” in SafeML.
SafeML Concept – “1. Hazard”
First I am going to talk about Hazards. Hazard is a potential source of harm in a system.
So for example, if we have a moving car that includes hazards of high speed motion, hazards are always ever-present in the system. They often inherit for the systems function.
So if you look at a car, it has to move in order to be useful, that means motion hazard is always going to be present. We can’t get rid of it.
SafeML Concept – “2. Harm”
Harms are quiet easy to understand, that simply something happens to injure the person or environment.
For example, if you have a car crash and it injures the driver, that’s the harm that injuries to the driver. But how do we get from the hazards to harm?
This is where we use “context” or “harm context” in a case of SafeML.
SafeML Concept – “3. Harm Context”
Harm Context is the circumstances which cause people or property to be exposed to one or more hazards. And therefore, harm to be caused.
In our example case, the context is a car crashing into a tree. So context is very very important in SafeML. Without it, it is impossible for hazard to cause harm need to have some kind of context, some kind of hazardous situation that can allow the harm to occur.
So SafeML includes various elements dealing with Hazards, Harms and Harm Contexts.
Elements – “1. Hazard”
The first is the hazard element. So this is a simple element that represents a hazard in the system.
This element itself usually just carries a name but is related to various parts of the system that give rise to the hazard.
For example, it can be related to requirements that say, for example, require a car to move or could relate to using specific components in a system. For example if your system uses a hazardous chemical during its procedure, then the hazard chemical would lead to a hazard in the system. These hazardous sources are found during safety analysis and then modeled in SafeML and SysML.
Elements – “2. Harm”
The next element is the “harm”. This is also a simple element. Merely specifying the harm that may be caused. It is not issue related to any of the elements in the system model directly but only related to the harm the hazard that causes it.
Elements – “3. Harm Context”
Finally we have the association class called the “Harm Contexts”. This is a very important element in SafeML because this is what models the relationship between a hazard and a harm that allows harms to be caused.
Because it’s an association class, it directly describes the relationship between one hazard and one harm. And this is important because it is always a singular relationship in that we always have a specific hazardous situation causes specific harm from specific hazard.
So next time I am going to talk about safety features.
Safety features are features of our system that use to provide safety. They do this either by mitigating harm that may be caused when a hazardous situation arises or by preventing a hazardous situation from arising altogether.
Our safety features are assistive and they detect when hazardous situation arises and then activate other safety features to mitigate harm. The safety features that directly provide safety we called “defenses” and defenses are divided into two types. They are active defenses and passive defenses.
Active defenses are defenses that must be activated in order to be used. For example, the breaks of the car must be activated before they can provide safety. And passive defenses are defenses that are constantly providing safety just by existing. For example, the buffer zone at the front of a car provides safety from a collision for the driver and passengers just by existing in the car’s design. It does not require activating to be used. This distinction between activation and non-activation is important for whether you need to have detectors which are used to decide when to activate safety features.
SafeML represents defenses using active defense and passive defense elements. These elements represent a safety feature in the design that is used to provide safety. Defenses are related to the harm contexts because they’re tied to the hazard which is always present in a system. A defense targets a hazardous situation that allows harms to be caused either by trying to prevent that hazardous situation from occurring or to mitigate the harm that may be caused when the hazardous situation does occur.
We also have monitoring systems or detectors. We use these to determine when we should activate active defenses these are very important. Because if you don’t know when to activate your safety feature, it cannot provide the safety at the critical moment. And what these do is that they detect when hazardous situation is arising and activate the related active defenses in SafeML. These are represented by the context detector element which is related to harm context that it detects.
This indicates a feature that are used in the system to detect the status of the system and determine when it is in a hazardous situation.
So today that’s all I’m going to talk about and next time I am going to show you an example producing single diagrams for SafeML model and will talk a little bit about tools.