Traditional accident models were devised to explain lossesc aused by failures of physicR devicM in relatively simple systems. They are less useful for explaining acflI"R ts in software-intensive systems and fornon-tec hnice aspecR of safety suc h as organizationalc ulture and human dec"R4fljM;fl#][fl This paperdesc"4 es how systems theoryc an be used to form new acwM#R t models that better explain system actemM ts (acfl[[R ts arising from the interacflM;fl amongc omponents rather than individualc omponent failure), software-relatedac-rel ts, and the role of human dec]4RM;fl"[jjMc Suc h modelsc onsider the socMR and tec hnicI aspec# of systems as one integrated pro coM and may be useful for other emergent system properties suc h assecIj# y. The loss of a Milstar satellite beinglaunc hed by a Titan/Centaur launc h vehicfl is used as an illustration of the approach.

Abstract not found

Abstract. In the operation of safety-critical systems, the sequences by which failures can lead to accidents can be many and complex. This is particularly true for the emerging class of systems known as systems of systems, as they are composed of many distributed, heterogenous and autonomous components. Performing hazard analysis on such systems is challenging, in part because it is difficult to know in advance which of the many observable or measurable features of the system are important for maintaining system safety. Hence there is a need for effective techniques to find causal relationships within these systems. This paper explores the use of machine learning techniques to extract potential causal relationships from simulation models. This is illustrated with a case study of a military system of systems. 1

Abstract. A safety policy defines the set of rules that governs the safe interaction of agents operating together as part of a system of systems (SoS). Agent autonomy can give rise to unpredictable, and potentially undesirable, emergent behaviour. Deriving rules of safety policy requires an understanding of the capabilities of an agent as well as how its actions affect the environment and consequently the actions of others. Methods for multi-agent system design can aid in this understanding. Such approaches mention organisational rules. However, there is little discussion about how they are derived. This paper proposes modelling systems according to three viewpoints: an agent viewpoint, a causal viewpoint and a domain viewpoint. The agent viewpoint captures system capabilities and inter-relationships. The causal viewpoint describes the effect an agent’s actions has on its environment as well as inter-agent influences. The domain viewpoint models assumed properties of the operating environment.

Organizational factors play a role in almost all accidents and are a critical part of understanding and preventing them. Two prominent sociological schools of thought have

The quality of the design of an interactive safety-critical system can be enhanced by embedding data and knowledge from past experiences. Traditionally, this involves applying scenarios, usability analysis, or the use of metrics for risk analysis. In this paper, we present an approach that uses the information from incident investigations to inform the development of safety-cases that can, in turn, be used to inform a formal system model, represented using Petri nets and the ICO formalism. The foundations of the approach are first detailed and then exemplified using a fatal mining accident case study.

risk-based or game theoretic security models rely on assumptions from reliability theory and rational expectations economics that are not applicable for security risks. Additionally, these models suffer from serious deficiencies when they are applied to software-intensive, complex engineering systems. Recent work in the area of system safety engineering has led to the development of a new accident model for system safety that acknowledges the dynamic complexity of accidents. System-Theoretic Accident Models and Processes (STAMP) applies principles from control theory to enforce constraints on hazards and thereby prevent accidents. Appreciating the similarities between safety and security while still acknowledging the differences, this paper introduces the use of STAMP to security problems. In particular, it is applied to identify and mitigate the threats that could emerge in critical infrastructure systems such as the air transportation network. Index Terms—Air transportation, Critical infrastructure,

Next generation of energy systems, being dependant on Renewable Energy Resources (RES) and Distributed Generation (DG), will typically be based on flexible virtual cells of cells of balanced power consumption – generation rather than present day vertical hierarchical grid systems. Furthermore, new requirements on the supporting information infrastructure will pose new dependability challenges to the systems involved. Such challenges include management of non-linear dependencies, flexibility, and self*-attributes (e.g., organization, configuration, and repair) As a consequence, we have to decouple present day proprietary hierarchical SCADA systems into sets of services that allow for horizontal as well as vertical integration of services. That is, supporting and ensuring dependable operations and sustainable business models of future virtual utilities. In fact those virtual utilities are integrating two critical infrastructures; power grids and cyber networks. To allow for this flexibility and assuring dependability we argue that the underlying infrastructures will be built upon Service Oriented Architectures (SOA) as exemplified by present day web services and the ongoing developments on GRID computing. We propose in this paper a methodology towards ensuring quality of services in service-oriented critical infrastructures. 1

Most recent software related accidents have been system accidents. To validate the absence of system hazards concerning dysfunctional interactions, industrials call for approaches of modeling system safety requirements and interaction constraints among components and with environments (e.g., between humans and machines). This paper proposes a framework based on input/output constraint meta-automata, which restricts system behavior at the meta level. This approach can formally model safe interactions between a system and its environment or among its components. This framework differs from the framework of the traditional model checking. It explicitly separates the tasks of product engineers and safety engineers, and provides a top-down technique for modeling a system with safety

Safety is an important element of dependability. It is defined as the absence of accidents. Most accidents involving software-intensive systems have been system accidents, which are caused by unsafe inter-system or inter-component interactions. To validate the absence of system hazards concerning dysfunctional interactions, industrials call for approaches of modeling system safety requirements and interaction constraints among components. This paper proposes such a formalism, namely interface control systems (or shortly C-Systems). An interface C-System is composed of an interface automaton and a controlling automaton, which formalizes safe interactions and restricts system behavior at the meta level. This framework differs from the framework of traditional model checking. It explicitly separates the tasks