University of Oxford Logo University of OxfordSoftware Engineering - Home
On Facebook
Facebook
Follow us on twitter
Twitter
Linked in
Linked in
Google plus
Google plus
Digg
Digg
Pinterest
Pinterest
Stumble Upon
Stumble Upon
SCS

Safety Critical Systems

Software has become ubiquitous as the core functional component within systems on which human-life may depend: Automotive; Train control and signalling; Aerospace; Medical devices; Military command and control systems; Nuclear; Industrial control and Infrastructure. Errors and defects in Safety Critical Systems (SCS) may lead to death, serious injury and environmental damage. SCS represent the most critical of all software applications and demand the highest levels of process rigor and integrity in their development. This course will teach students how to design and implement SCS. The course employs the advanced, tools and techniques of modern SCS development: Systems modelling using sysML; verification using NuSMV and implementation using Rust. Additionally, students will learn how to approach management of safety programmes and how to assess, assure and audit SCS.

Course dates

8th June 2026Oxford University Department of Computer Science - Held in the Department15 places remaining.

Objectives

At the end of this course, students will understand the characteristics and properties of Safety Critical Systems; understand the end-to-end process for software development and assurance in this domain; have developed skills in the use of a modern suite of tools (sysML, Rust, NuSMV) and key process activities (Hazard analysis; Safety requirements; Failure analysis and structured, graphical safety argumentation) and recognise safety standards for SCS including IEC 61508, DO-178C/ED-12C, ISO 26262, IEC 62304, EN 50128, IEC 61511

Contents

The course has two main threads:

  1. Design and implementation for safety : The tools, techniques, methods and processes for analysis, designing and building software-based SCS;
  2. Safety assurance : The methods of review, analysis, inspection, testing and checking used to assure that a system is safe and that there is sufficient documented evidence to demonstrate this.

The course is structured around a core case study of a Safety Critical System development. During the course, attendees will analyse, design and implement the system from end-to-end. They will additionally conduct assurance activities for the system development, including the use of model-based, automated verification tools (NuSMV).

In detail, the course contents are as follows:

  • Introduction and course structure: Case studies of major technological disasters;
  • Hazards, accidents, 'safety' and Hazard Identification (HI). Bow-Tie analysis;
  • Workshop: sysML for Model Based Systems Engineering (MBSE);
  • Safety Management Process / Safety programmes;
  • Failure Modes and Effects Analysis (FMEA);
  • Characteristics of the Rust language and why it is suitable in this domain;
  • Workshop : from sysML to Rust: Implementing the case study system in Rust;
  • From safety risks to process: Safety Case; International standards; Concepts of safety and tolerability;
  • Organising teams for safety critical system development and assurance;
  • Generic safety architectures and Software safety techniques;
  • Modelling and verification using NuSMV – including workshop;
  • Markov Models for anomaly detection and availability modelling;
  • Types of Software safety analysis;
  • Critical review of Model Based Software Engineering;
  • Documenting design rationale using the 'Essential Logic Model';
  • Writing Excellent Requirements (Optional : This short session is also included within STE);
  • Threads analysis for complex, real-time systems;
  • Software testing (Introductory session for those who have not attended STE. Testing will also be covered as part of the Rust Workshop);
  • Quality inspection (Fagan Inspection);
  • Safety Critical Real-time Operating systems (Optional - time permitting); and,
  • Psychology of Safety : Why do Engineers make mistakes?

Requirements

Basic competency in one or more modern, high-level languages will be assumed. Prior competency in sysML, Rust and NuSMV is not expected. Some competency in using software development environments is expected (the course will employ Eclipse for sysML and vscode for Rust). Note: It is not an objective for this course to teach the Rust language in total. Neither is any experience of Rust programming a pre-requisite of this course. Nevertheless, a significant central component of the course will be an extended case study that will be executed by attendees in Rust. This will be delivered as a step-by-step tutorial that focusses on a specific SCS implementation rather than a comprehensive / exhaustive tutorial for the language.