System safety: Where next?

System safety is a widely practised discipline that is built on the familiar everyday notions of risk and hazard. There are a number of well-known standards covering the safety of defence systems, railway systems, automotives and aircraft. Central to system safety is the idea of a safety case: a reasoned argument for safety of a system that is based on evidence. However, the concepts on which system safety is built, i.e. risk and hazard, can sometimes be confusing, are often poorly understood and are frequently misapplied in the context of safety engineering for software-intensive systems. In this paper we discuss these matters, and speculate on where system safety might be heading. We describe some common issues with - and desirable attributes of - safety standards and safety cases. We present the idea of a structured document as a means of understanding these issues. We discuss first how the notion of structured document was used in a lightweight way in the Australian Defence standard DEF(AUST)5679, and how the HiVe tool, currently under development at DSTO, offers a more powerful means of building structured documents. We conclude with brief comments on how the notion of hazard could be replaced by that of a safety protocol.