Chris Johnson

• MA, MSc, DPhil.
• Professor at University of Glasgow

This paper focuses on the perception of Branford's standardized AcciMap approach as a tool for accident analysis in healthcare. This study further builds on the previous work regarding National Health Service (NHSScotland) clinical safety practitioners' first-time experience in applying the standardized AcciMap approach and discusses its advantages...

The utilization of Information Technology/software systems is considered a proactive measure for reducing medication errors, providing clinical efficiency and improving patient safety. However this has added a layer of risk that can potentially harm patients and compromise safety. A comparative study using specific accident models; the Human Factor...

In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to “rip and replace” obsolete components. However, the ability to make firmware updates has provided significant benefits to companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges, as well as...

KEYWORDS AcciMaps, Patient Safety, Systemic Models, Risk Management, Accident Models SUMMATIVE STATEMENT The AcciMap method was utilized and evaluated by NHS participants based on the survey adapted from a previous study (Underwood et al, 2016). The results obtained indicate the need for further studies on improving the validity and reliability of...

The Bhopal pesticide accident triggered a number of responses from the companies involved from the Indian government as well as reforms in the United States. These initiatives reached a range of different conclusions that arguably failed to provide a coherent framework for action around the globe. In other domains, organisations such as the Interna...

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) applications monitor and control a wide range of safety-related functions. These include energy generation, where failures could have significant, irreversible consequences. They also include the control systems that are used in the manufacture of safety-related p...

Interventions to reduce risk often have an associated cost. In UK industries decisions about risk reduction are made and justified within a shared regulatory framework that requires that risk be reduced as low as reasonably practicable. In health care no such regulatory framework exists, and the practice of making decisions about risk reduction is...

Security incidents can have negative impacts on healthcare organisations and the security of medical records has become a primary concern of the public. However, previous studies showed that organisations had not effectively learned lessons from security incidents. Incident learning as an essential activity in the “follow-up” phase of security inci...

Weibull distributions can be used to accurately model failure behaviours of a wide range of critical systems such as on-orbit satellite subsystems. Markov chains have been used extensively to model reliability and performance of engineering systems or applications. However, the exponentially distributed sojourn time of Continuous-Time Markov Chains...

Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor and control a wide range of safety-related functions. These include energy generation where failures could have significant, irreversible consequences. They also include the control systems that are used in the manufacture of safety-related pr...

Abstract Healthcare organisations are often encouraged to learn from other industries in order to develop proactive and rigorous safety management practices. In the UK safety–critical industries safety cases have been used to provide justification that systems are acceptably safe. There has been growing interest in healthcare in the application of...

Critical infrastructures must be better protected against challenges to their data communications in the face of increasing numbers of emerging challenges, complexity and society’s demand and intolerance of failures. In this paper, we present a set of challenges and their characteristics by reviewing reported incidents. Using domain specific attrib...

Navigation satellites are a core component of navigation satellite based systems such as GPS, GLONASS and Galileo which provide location and timing information for a variety of uses. Such satellites are designed for operating on orbit to perform tasks and have lifetimes of 10 years or more. Reliability, availability and maintainability (RAM) analys...

Safety is an essential requirement for railway transportation. There are many methods that have been developed to predict, prevent, and mitigate accidents in this context. All of these methods have their own purpose and limitations. This paper presents a new useful analysis technique: timed fault tree analysis. This method extends traditional fault...

This book constitutes the refereed proceedings of the IFIP WG 13.2/13.5 Joint Working Conferences: 6th International Conference on Human-Centered Software Engineering, HCSE 2016, and 8th International Conference on Human Error, Safety, and System Development, HESSD 2016, held in Stockholm, Sweden, in August 2016. The 11 full papers and 14 short pa...

This paper highlights a promising application of the analysis technique of probabilistic verification. We prove that it is able and suitable to analyse GNSS based positioning in aviation sectors for aircraft guidance. In particular, the focus is a widely used formal method called probabilistic model checking, and its generalisation to the analysis...

The International Civil Aviation Organisation (ICAO) identify an Airprox to be a situation in which, in the opinion of a pilot or air traffic services personnel, the distance between aircraft as well as their relative positions and speed have been such that the safety of the aircraft involved may have been compromised. These are relatively rare eve...

Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack...

Intrusion detection systems (IDS) provide valuable tools to monitor for, and militate against, the impact of cyber-attacks. However, this paper identifies a range of theoretical and practical concerns when these software systems are integrated into safety-critical applications. Whitelist approaches enumerate the processes that can legitimately expl...

This workshop focusses on the issues of bringing together several properties to interactive systems. While research in the field of HCI is mainly targeting at Usability and user experience (UX) this workshop focusses on Resilience, Reliability and Safety. It is organized by the IFIP Working Group 13.5 on Resilience, Reliability, Safety and Human Er...

Context. The recurrence of past breaches in healthcare showed that security lessons had not been effectively learned across different healthcare organisations. Recent studies have identified the need to improve incident learning and redistribute this knowledge to prevent future attacks. The Generic Security Template (GST) had been proposed to facil...

The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across...

Cyber exercises are used to simulate cyber incident environments to assess the knowledge and skills of information security personnel. The use of the cyber exercise is extended to assess the readiness of a community against cyber crises and critical information infrastructure incidents. This collaborative cyber exercise involved people from various...

Cyber-attacks can have a devastating impact on safety-critical systems. The increasing reliance on mass market Commercial Off-The Shelf (COTS) infrastructures, including Linux and the IP stack, have created vulnerabilities in applications ranging from Air Traffic Management through to Railway signalling and Maritime surveillance. Once a system has...

This paper highlights an application of probabilistic model checking to satellite positioning systems for aircraft guidance. After introducing our formal approach based on using the PRISM model checker, we built a model of a global navigation satellite system (GNSS) based positioning system for a specific flight in the probabilistic π-calculus, a p...

This paper illustrates how Situation Awareness measurement techniques can be transferred and adopted to a Cloud Computing network environment, specifically concerning the Intrusion Detection field. Bearing in mind the rise of Cloud Infrastructures and the importance of Cyber Security, this topic is critical. In this paper the relationship between S...

Some states have knowledgeable and competent regulators. Others are less fortunate. The operation and management of safety industries depends upon individuals who are often poorly paid compared to their colleagues in the private sector. In consequence, some regulators lack the experience, motivation and insight needed to guide safety–critical indus...

The increasing use of Electronic Health Records has been mirrored by a similar rise in the number of security incidents where confidential information has inadvertently been disclosed to third parties. These problems have been compounded by an apparent inability to learn from previous violations; similar security incidents have been observed across...

Currently, the lessons learned from the security incidents are documented in add-hoc means such as lengthy security reports, free-style textual news letters, emails or informal meetings. This makes it difficult to effectively communicate security lessons among peers and organisations. The diagraming approach such as the Generic Security Template (G...

Critical infrastructures are organisations that deliver vital services like telecommunication, energy and water suppliers to the community. Today, threats on critical infrastructure are differs from natural disasters, technical failures, man-made and cyber-attacks. Any disruptions on critical infrastructures could create a catastrophic damage. Prot...

Adverse incidents in the privacy of patients’ medical records can result in multiple negative impacts. Effective mechanisms are needed to communicate the lessons from the incidents into the Information Security Management Systems (ISMS) so as to prevent similar incidents. The Generic Security Template (G.S.T.) has been developed to enhance current...

We sketch a series of studies and experiments designed to provide empirical evidence about the truth or falsity of claims that non-prescriptive approaches to standards demand greater competence from regulators than prescriptive approaches require.

The number of security incidents is still increasing. The re-occurrence of past breaches shows that lessons have not been effectively learned across different organisations. This illustrates important weaknesses within information security management systems (ISMS). The sharing of recommendations between public and private organisations has, arguab...

Satellites now form a core component for space based systems such as GPS and GLONASS which provide location and timing information for a variety of uses. Such satellites are designed for operating on orbit to perform tasks and have lifetimes of 10 years or more. Reliability, availability and maintainability (RAM) analysis of systems has been indisp...

Satellites now form a core component for space based systems such as GPS and GLONAS which provide location and timing information for a variety of uses. Such satellites are designed to operate in-orbit and have lifetimes of 10 years or more. Reliability, availability and maintainability (RAM) analysis of these systems has been indispensable in the...

Social media provides a new and potentially rich source of information for emergency management services. However, extracting the relevant information from such streams poses a number of difficult challenges. In this short paper, we survey emergency management professionals to ascertain how social media is used when responding to incidents, the sea...

There has been much UbiComp research into motivating people to live more active and healthy lifestyle with sports. The idea behind these approaches is centered on social and peer effects in enhancing exercise adherence. While research of this kind has been prolific, there has very little work been done to identify factors that embody comfortable an...

We identify four roles that social networking plays in the 'attribution problem', which obscures whether or not cyber-attacks were state-sponsored. First, social networks motivate individuals to participate in Distributed Denial of Service attacks by providing malware and identifying potential targets. Second, attackers use an individual's social n...

Communications and information technologies play an increasingly important role both within and between national critical infrastructures. From the food that we eat to the water that we drink, to the energy that we use across all modes of transportation to the systems that protect us when we travel in those systems; we rely on information infrastru...

A range of common software components are gradually being integrated into the infrastructures that support safety critical systems. These include network management tools, operating systems especially Linux, Voice Over IP (VOIP) communications technologies, and satellite based augmentation systems for navigation/timing data etc. The increasing use...

Accident reports play a key role in the safety of complex systems. These reports present the recommendations that are intended to help avoid any recurrence of past failures. However, the value of these findings depends upon the causal analysis that helps to identify the reasons why an accident occurred. Various techniques have been developed to hel...

Numerous data breach incidents have been reported in recent years and there is a continuing requirement to protect patient and clinician confidentiality. However, the diversity of security products, tools and techniques in the market place make it very hard for management to ensure that they have implemented coherent countermeasures to meet organis...

This article aims to demonstrate computational synthesis of Web-based experiments in undertaking experimentation on relationships among the participants' design preference, rationale, and cognitive test performance. The exemplified experiments were computationally synthesised, including the websites as materials, experiment protocols as methods, an...

Systematic network monitoring can be the cornerstone for the dependable operation of safety-critical distributed systems. In this paper, we present our vision for informed anomaly detection through network monitoring and resilience measurements to increase the operators' visibility of ATM communication networks. We raise the question of how to dete...

Space missions require significant investments to develop and sustain the underlying engineering infrastructures. Assuring mission success (Return-On- Investment) also depends upon investments in the training that supports closer integration between flight crews and ground teams. However, economic and fiscal pressures are forcing many governments t...

Space-based systems play an important role within national critical infrastructures. They are being integrated into advanced air-traffic management applications, rail signalling systems, energy distribution software etc. Unfortunately, the end users of communications, location sensing and timing applications often fail to understand that these infr...

The Crisees demonstrator is a service that aggregates and collects social media streams to support Crisis Managment.

Effective crisis communications play a vital role in increasing the resilience of communities against natural or man-made disasters. Warning and informing affected citizens is a crucial safety-critical process with the aim to raise public awareness prior to an event, or when one is imminent. This process has traditionally been facilitated through b...

Malware poses a growing threat to a host of safety-critical systems that depend on common software components, including the Linux operating system and the Internet Protocol (IP). Threats include 'mass market' malware that is not deliberately aimed at safety-related systems. They also include more sophisticated techniques exploited by W32.Stuxnet,...

Public and private organisations are investing increasing amounts into the development of healthcare software. These applications are perceived to offer numerous benefits. Software systems can improve the exchange of information between healthcare facilities. They support standardized procedures that can help to increase consistency between differe...

Satellite-based location and timing systems support a wide range of mass market applications, typically using the GPS infrastructure. Until recently, these applications could not be used within safety-critical interfaces. Limits to the accuracy, availability, integrity and continuity of the space-based signals prevented regulatory agencies from cer...

The increasing complexity of safety-critical applications has led to the introduction of decision support tools in the transportation and process industries. Automation has also been introduced to support operator intervention in safe-tycritical applications. These innovations help reduce overall operator workload, and filter application data to ma...

In previous papers, we asserted that software system safety is primarily concerned with epistemic questions, that is, questions concerning knowledge and the degree of confidence that can be placed in that knowledge. We also enumerated a set of 21 foundational epistemic questions, discussed some of the difficulties that exist in answering these ques...

Concerns over accuracy, availability, integrity, and continuity have limited the integration of Global Positioning System (GPS) and Global Navigation Satellite System (GLONASS) for safety-critical applications. More recent augmentation systems, such as the European Geostationary Navigation Overlay Service (EGNOS) and the North American Wide Area Au...

In an ideal world, conversations about whether a particular system is safe, or whether a particular method or tool enhances safety, would be emotion-free discussions concentrating on the level of safety required, available evidence, and coherent logical, mathematical, or scientific arguments based on that evidence. In the real world, discussions ab...

Governments across Europe and North America have recently reviewed the ways in which they provide both the public and their own departments with access to electronic data. Information service architectures have been proposed as one important component of the new e-Governance visions. These web-based technologies offer huge benefits by defining comm...

Unmanned Airborne Systems (UAS) offer significant benefits for long duration missions. They can also be used in situations where it is inappropriate to expose aircrew to increased levels of risk. Partly in consequence, they continue to experience accident rates that are significantly higher than those for most conventional aircraft. It can also be...

This paper analyzes a range of incidents involving team-based interaction with safety-critical programmable systems. The incidents were submitted to NASA’s Aviation Safety Reporting System (ASRS) and to the UK Marine Accident Investigation Branch (MAIB) between December 2001 and February 2003. Our results show that incidents, which complicated the...

President Obama has recently announced an additional $50 billion to support the development of healthcare informatics and electronic patient records systems. Public attention has, therefore, focused on ensuring that such investments do not suffer from the failures that have jeopardised patient safety in previous large-scale software procurements. T...

For any software system upon which lives depend, the most important question one can ask about it is, ‘How do we know the system is safe?’ Despite the critical importance of this question, no widely accepted, generally applicable answer exists. Instead, debate continues to rage over the question, with theorists and practitioners quarrelling with ea...

This paper argues that a 'systemic' approach can he lp to address the threat to public safety from Impr ovised Explosive Devices (IEDs). Rather than focusing na rrowly on electronic counter-measures or on the det ection of disaffected groups before an incident, we have argu ed that security agencies should look across all st ages of the IED traject...

The pioneering work of Rasmussen, Reason and their colleagues has greatly improved our understanding of the longer term causes of adverse events in safety-critical systems. Far less attention has been paid to the organisational decision making that characterises the response to accidents and incidents. Therefore, this paper examines the interventio...

This paper presents the initial results from a study into the interaction between safety culture and degraded modes of operation in European Air Traffic Management (ATM). Degraded modes occur when operators struggle to maintain levels of service even though key elements of their infrastructure have failed. Safety culture can be simply described as...

Software simulations have been widely used to model evacuations from fire but very few have been used to analyse a wider range of hazards, including terrorist attac ks. The following pages describe how one group of evacuation simulations has been extended to support the risk a ssessments that drive counter terrorism. Two key areas are discussed; ch...

The World Health Organization (WHO) estimate that road traffic accidents represent the third leading cause of ‘death and disease ’ worldwide. Many countries have, therefore, launched safety campaigns that are intended to reduce road traffic accidents by increasing public awareness. In almost every case, however, a reduction in the total number of f...

Terrorist attacks, for example in Madrid and London, have increased concern over the threat that Improvised Explosive Devices (IEDs) pose to public safety. Insurgent groups in Iraq and Afghanistan have developed relatively sophisticated tactics, including the use of synchronised attacks with multiple devices that have not yet been witnessed in Euro...

Unmanned airborne vehicles (UAVs) provide significant operational benefits to many military organisations. At present, however, most systems lack the reliability of conventional air support. This imposes considerable demands on the teams that must operate and maintain UAVs. It also creates considerable risks for the units that must retrieve these v...

Risk assessment has been advocated as a principle means of improving military safety. For instance, the US Army's Composite Risk Management urges personnel to assess the likelihood and consequences of potential hazards before making strategic, tactical and operational decisions. The British army advocates risk assessment to guide both tactical plan...

This paper describes five loss of control accidents involving commercial aircraft, and derives from those accidents three principles to consider when developing a potential safety case for an advanced flight control system for commercial aircraft. One, among the foundational evidence needed to support a safety case is the availability to the contro...

Previous terrorist attacks, system failures and natural disasters have revealed the problems that many States face in preparing for national civil contingencies. The diversity of critical infrastructures and the interconnections between different systems makes it difficult for planners to 'think of everything'. For example, the loss of power distri...

Previous terrorist attacks, infrastructure failures and natural disasters have revealed the problems that states face in preparing for civil contingencies. One aspect of this is that the agencies which typically coordinate the protection of critical infrastructures have a national responsibility. However, the impact of particular failures is often...

Incident reporting systems can be used to detect problems before they result in an accident. They can also be used to strengthen the defences that lead to the detection and resolution of potential problems. There are also significant limitations. For instance, it is difficult to support long-term participation from all elements of a workforce. In s...

Recent rail accidents in the UK have focussed public attention on the role that companies play in the causes of incidents and accidents. Partly in response, the Westminster parliament has published proposals to change the legislation on corporate manslaughter. Previous incidents have had a similar impact in other countries. For example, the 2006 mi...

In July 2005, London was awarded the right to host the 2012 olympic and paralympic games. The decision of the International Olympic Committee triggered considerable public enthusiasm across the UK. At the same time, it also created a host of logistical and technical challenges. Amongst these the first concern is to ensure the safety and security of...

There has been a rapid increase in the complexity and integration of many safety-critical systems. In consequence, it is becoming increasingly difficult to identify the causes of incidents and accidents back through the complex interactions that lead to an adverse event. At the same time, there is a growing appreciation of the need to consider a br...

Many research teams have developed mobile computing architectures to support the emergency and rescue services in a rang e of civil contingencies. These proposals are based on innovative technologies and show considerable creativity in the design of their user interfaces. In contrast, this paper presents lessons learned from the 2007 UK floods. Mob...

The Global Positioning System (GPS) uses a network of orbiting and geostationary satellites to calculate the position of a receiver over time. This technology has revolutionised a wide range of safety-critical industries and leisure applications ranging from commercial fisheries through to mountain running. These systems provide diverse benefits; s...

In April 2006, an Unmanned Aerial Vehicle crashed near Nogales, Arizona. This incident is of interest because it triggered one of the most sustained studies into the causes of failure involving such a vehicle. The National Transportation Safety Board together with the US Customs and Border Protection agency under the Department of Homeland Security...

Unmanned Airborne Vehicles (UAVs) provide significant operational benefits to many different military organisations. At present, however, most systems lack the reliability of conventional air support. This imposes considerable demands on the teams that must operate and maintain UAVs. It also creates considerable risks for the units that must retrie...

This paper uses recent accidents and incidents to identify the systemic causes of fatigue in military operations. At a strategic and tactical level, it is argued that inadequate risk assessments and a lack of 'joined up' planning often leave soldiers in situations where they are likely to make errors of commission and omission. At an operational le...

Degraded modes of operation occur when technological systems fail to meet the levels of service that are expected by staff and managers. Over time, operators develop 'work arounds' that help them to cope with these degraded modes. This has led to a culture of 'making do' where co-workers try their best to maintain service provision in spite of syst...

On 1 August 2005, a Boeing Company 777-200 aircraft, operating on an international passenger flight from Australia to Malaysia, was involved in a significant upset event while flying on autopilot. The Australian Transport Safety Bureau's investigation into the event discovered that "an anomaly existed in the component software hierarchy that allowe...

In the early years of powered flight, the National Advisory Committee on Aeronautics in the United States produced three reports describing a "method of analysis of aircraft accidents". The first report was published in 1928; the second, which was a revision of the first, was published in 1930; and the third, which was a revision and update of the...

Failures in national and international infrastructures have causes that stretch well beyond the specific events that trigger an accident or incident. The following pages argue that these latent causes can be traced back through the decisions of local management teams to higher-levels of public policy. For example, the 2003 blackout of areas in Cana...

While a significant effort is currently being undertaken by the CHI community in order to apply and extend current usability evaluation techniques to new kinds of interaction techniques very little has been done to improve the reliability of software offering these kinds of interaction techniques. As these new interaction techniques are currently m...

Accident reports provide important insights into the causes and contributory factors leading to particular adverse events. In contrast, this paper provides an analysis that extends across the findings presented over ten years investigations into maritime accidents by both the US National Transportation Safety Board (NTSB) and Canadian Transportatio...

On the 14th August 2003, a complex combination of immediate events and longer term vulnerabilities led to a domino-effect in which 50 million people had their power supplies interrupted. Consequent losses were between $5-10 billion. It is, therefore, one of the most serious disruptions to a national power distribution network. The causes of this in...

This paper charts the role that 'degraded modes of operation' have played in a number of recent accidents and incidents in European Air Traffic Management. A central aim of this analysis is to identify and begin to understand why teams of co-workers continue to operate safety critical systems even when key elements of their technological infrastruc...

There has been a rapid increase in the complexity and integration of many safety-critical systems. In consequence, it is becoming increasingly difficult to identify the causes of incidents and accidents back through the complex interactions that lead up to an adverse event. At the same time, there is a growing appreciation of the need to consider a...

On the 28 th September 2003, a blackout affected more than 56 million people across Italy and areas of Switzerland. Estimates vary for the number of fatalities that were directly related to the loss of power. 30,000 people were trapped on trains. Several hundred passengers were stranded on underground transit systems. There were significant knock-o...