When the wheels are coming off: Safety critical design and GSN- Goal Structured Notation

This resulted in 98 deaths. While safety design considerations are necessary in electronics, vehicles, furniture, toys, medical devices, pharmaceuticals and appliances, it rarely became an engineering discipline itself. One of the primary challenges being building a language for quantifying and communicating “safety” among engineers and operators in the field. 

In 2017, multi million of units of chest drawers were recalled by a famous furniture giant as per the US CPSC, Consumer Protection Safety Commission's website. The reason was tip-over hazard and people especially kids were seriously injured.

ASTM International develops voluntary furniture safety standards, which the U.S. Consumer Product Safety Commission (CPSC) can adopt as mandatory regulations, such as ASTM F2057-23 for clothing storage units, to address hazards like tip-overs and ensure structural integrity, durability, and the minimization of injury risks in furniture design. These standards cover various furniture types, including children's furniture, and involve rigorous testing to assess stability, mechanical hazards, and overall safety performance. 

Everything has units of measure, but it is difficult to communicate how much safe a specific system is under given circumstances. What differentiates between a safe product and a product that can fail unpredictably? However companies and engineers often struggle to understand and quantify safety. It only becomes an afterthought after an incident from a product user. Most safety related aspects don't fall under quality control regime and escape the test and validation cycles. 

So safety becomes an implicit effort with well defined intentionality, that needs to be captured in the PRD, product requirement document itself. Thus safety is a requirement. We will quickly discuss different methods of quantification and then dive into this novel method called GSN, Goal structured notation. 

Quantifying safety means putting a number on how safe something is. It's like giving a "safety score" to a product, a workplace, or a process. There are two main ways to do this: predicting the future before something is used and tracking the past while it's in use. At Azle we are constantly learning and improving our application of ASEE process, born from systems thinking and systems engineering principles. 

The method of predicting the future is applicable to designing things such as hardware, software or a bridge. Engineers can access methods to figure out how safe something will be before it's ever built or sold! They try to calculate the odds of something bad happening by careful technical thinking. 

Quantifying safety involves using quantitative metrics and engineering analysis methods to assign a numerical value (like a probability, a rate, or a cost) to the level of risk or safety within a system, process, or operating environment. These methods fall into two main categories: Probabilistic Risk Assessment (used in engineering design e.g. a drone) and Performance Indicators (used in operational environments e.g. the operational airspace in which the drone is flying). 

These methods are used, especially in complex, safety-critical systems (like aerospace, nuclear, and automotive), to determine the likelihood of a dangerous event. Risk is quantified as:

Risk = Probability (or Frequency) of an Event × Magnitude of Consequence (Severity)

The key techniques used to calculate the "Probability" include:

A. Fault Tree Analysis (FTA) A top-down, deductive graphical method that starts with an undesired top event (e.g., "System failure resulting in explosion"). It then uses Boolean logic (AND/OR gates) to trace all possible combinations of component failures, human errors, and external events that could lead to that top event. Quantification happens by assigning a known or estimated failure probability to each basic component (often expressed as λ, the failure rate per unit time), the FTA mathematically calculates the overall probability of the top event occurring.

B. Event Tree Analysis (ETA) A bottom-up, inductive graphical method that starts with an initiating event (e.g., "Power loss to critical component"). It then models the sequence of subsequent system and safety feature responses, leading to a set of different possible final outcomes (e.g., "Safe shutdown," "Accident," "Catastrophic failure"). ETA uses the probabilities of successful or failed system responses to determine the overall probability of each final outcome.

C. Failure Mode, Effects, and Criticality Analysis (FMECA) This systematic method identifies all potential failure modes (how a component could fail, e.g., 'short circuit'), their effects on the system, and assigns a Severity, Occurrence, and Detection score. The quantification happens by the scores are multiplied to get the Risk Priority Number (RPN). The RPN provides a prioritized, quantified list of risks that need mitigation.

RPN = Severity × Occurrence × Detection

D. System Safety Metrics: These are common quantitative goals used in system design:

• Failure Rate (λ): The frequency with which an item fails (e.g., failures per million hours of operation).

• Mean Time Between Failures (MTBF): The average time a system operates before a failure occurs. This is a measure of reliability.

• Probability of Failure on Demand (PFD): The likelihood that a safety system fails when it is needed (critical for systems that are dormant, like emergency brakes).

• Safety Integrity Level (SIL): A discrete level (1 to 4) of probability of failure for a safety function, used in standards like IEC 61508.

We have seen methods of quantifying safety and using those metrics in product design and field operations. But we have not dwelled into how these are communicated with different stakeholders. 

Goal Structuring Notation (GSN) is a graphical argumentation notation used to visualize and structure arguments, particularly in safety-critical systems. It provides a clear and concise way to show how evidence supports claims, and how those claims contribute to overall safety goals. GSN diagrams facilitate collaboration and review. They can be shared and discussed among stakeholders to ensure consensus on safety arguments. While GNS system is greatly useful in designing an eVTOL aircraft, the merits go beyond aerospace or medial applications. At Azle we deploy GSN themes even for smaller electronics. It is part of our ASEE process.

Goal Structured Notation (GSN) is a way to clearly and formally show that a system is safe or meets some other important requirement. Think of it as a specialized, rigorous argument map for safety-critical systems. It was developed primarily in the UK by researchers at the University of York's High Integrity Systems Engineering group. GSN provides a graphical way to structure and present the arguments, goals, and evidence needed to make a safety case, which is essentially a structured body of evidence that proves a system is safe for use under defined conditions.

Imagine trying to convince a skeptical boss (or a regulator) that a new autonomous car is safe. You wouldn't just say, "Trust me." You'd need to show how you know it's safe. GSN helps you map out that entire convincing process so anyone can follow your logic.

GSN makes the safety argument:

• Explicit: It leaves no doubt about what you are trying to prove.

• Clear: The graphical symbols make the structure easy to follow.

• Complete: It forces you to identify all the evidence you need and all the steps in your reasoning.

• Reviewable: It makes it easy for others to audit and find any potential weak spots.

GSN uses specific shapes (like a flowchart) to represent the different parts of the argument. The main elements are: Goals, Strategies, Solutions or Evidence, Contexts, Assumptions, Justifications. Further these elements are linked using two types of relationships: SupportedBy and InContextOf.

The entire GSN diagram works like a hierarchy:

1. Start with the Top Goal (e.g., "The airplane is safe to fly").

2. Use a Strategy to break that Goal down into smaller, simpler Sub-Goals (e.g., "Prove the wings are safe" AND "Prove the engine is safe" AND "Prove the flight control software is safe").

3. Continue this breakdown until you reach a Sub-Goal that can be directly supported by Evidence (a Solution).

When you look at a GSN diagram, you are tracing the argument from the evidence up to the top claim. If all the evidence is valid, the entire system is proven.

Let's use a very simple example to see GSN in action: proving a new smart toaster is safe.

Top Goal

• G1: The Smart Toaster is safe for domestic use.

Strategy (Breakdown)

• S1: Argue by dividing safety into electrical safety and fire safety.

Sub-Goals

• G2: The toaster presents no electrical shock hazard.

  • Context: C2: Based on the IEC 60335 standard for household appliances.

• G3: The toaster does not pose an undue fire risk.

Supporting Evidence (Solutions)

To support G2 (Electrical Safety), you might link directly to evidence:

• E2: Compliance Certificate from UL Testing Lab.

To support G3 (Fire Risk), you might need another strategy:

• S2: Show that the heating element is thermally regulated and the casing is non-flammable.

This leads to final evidence:

• E3: Thermal Cut-Off Test Report.

• E4: Casing Material Flammability Data Sheet.

In a full GSN diagram, all these boxes would be connected by lines showing the logical relationships (e.g., G1 is supported by S1, S1 decomposes G1 into G2 and G3, etc.). By following every path down to a circle (the evidence), you can be confident that the entire argument holds together. GSN simply provides the map for that confident conclusion.