%!
%-12345X@PJL JOB NAME="Microsoft Word - tr-00-13.doc"
@PJL SET RET=ON
@PJL SET DUPLEX=ON
@PJL SET BINDING=LONGEDGE
@PJL SET ECONOMODE=OFF
@PJL SET OUTBIN=UPPER
@PJL SET PAGEPROTECT=AUTO
@PJL SET PAPER=A4
@PJL SET RESOLUTION=600
@PJL SET BITSPERPIXEL=2
@PJL ENTER LANGUAGE=PCLXL
) HP-PCL XL;2;0;Comment Copyright Hewlett-Packard Company 1989-1998. Version 4.0.0.0
ÑXXø‰À ø†ÀøAÀ øˆÀø‚HÀ ø(Àø&Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ|ŒøLkÈÁ% SOFTWARE VERIFICATION RESEARCH CENTREø«ÈÁ% :Q?FfKJFJFJ*?*JKE)QKJF:FJKJQJEKEKFø¯¨…ÓuøLkÈÁ  SCHOOL OF INFORMATION TECHNOLOGYø«ÈÁ  ;JPQPEQ?*K?QK`JF)QJEEKPKPEQPKø¯¨…Ó¿_øLkÈÁ THE UNIVERSITY OF QUEENSLANDø«ÈÁ EQEKJ*JFJ:)FKQ?QKEEJ;EKKKø¯¨…ÓÌ½øLkÈÁ Queensland 4072ø«ÈÁ P;/.;)4::4545ø¯¨…Óx0øLkÈÁ	 Australiaø«ÈÁ	 K:*$.55ø¯¨…Ó,ïøLkÈÁ TECHNICAL REPORTø«ÈÁ EFJQK)KJFKF?PKFø¯¨…ÓvøLkÈÁ	 No. 00-13ø«ÈÁ	 K545$45ø¯¨…Ó³øLkÈÁ1 A Comparison of MIL-STD 882C and MIL-STD 882D forø«ÈÁ1 HH3R82,'282"^'C!8CH222H288^'C!7CH222H"2,ø¯¨…Óí’øLkÈÁ Australian Defence Acquisitionø«ÈÁ H8'!,228H,",8,,H,88'!28ø¯¨…ÓiëøLkÈÁ Brenton Atchison, Peter Lindsayø«ÈÁ F/.;#5:K#/:*4:?/$/.E:;)55ø¯¨…ÓOÑøLkÈÁ April, 2000ø«ÈÁ K;.4545ø¯¨…Ó8õøLkÈÁ Phone: +61 7 3365 1003ø«ÈÁ ?;4;/$<45554544555ø¯¨…ÓphøLkÈÁ Fax: +61 7 3365 1533ø«ÈÁ ?55$<45554544545ø¯¨Á ø1DÀ ø(Àø%CÁ ø1DÀ ø(Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓ’¨øLkÈÁG Produced under contract CA38809 with the Australian Defence Acquisitionø«ÈÁG /)*)%%*))*%%*)%%8;*****:))%<) %&)<&&)%%;%*)!*)ø¯¨…Ó’øLkÈÁ9 Organisation, Directorate of Software Acquisition Reform.ø«ÈÁ9 <)%) %*)=%%*%%*.*;%%;%*) +)7&*?ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ¦Bø¦ÁuøªoÓ’møLkÈÁ Note: ø«ÈÁ <*%ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓjmøLkÈÁ- Most SVRC technical reports are available viaø«ÈÁ- J* .<77%&)*%%%** %%%)%%*%)%ø¯¨…Ó’ÍøLkÈÁ6 anonymous FTP, from svrc.it.uq.edu.au in the directoryø«ÈÁ6 %)**)@+) .4/*? )%)*%+)%)))%*%%*(ø¯¨…Ó’-øLkÈÁ
 /pub/SVRC/ø«ÈÁ
 *)*.<87ø¯¨…Ó--øLkÈÁ& techreports.  Abstracts and compressedø«ÈÁ& %&)%** ;* %% %)*%+?*%  %*ø¯¨…Ó’ŒøLkÈÁ< postscript files are available via http://svrc.it.uq.edu.au.ø«ÈÁ< **  %*% %%%)&%*%)%)* )%)*%*)%)ø¯¨Á ø1DÀ ø(Àø%CÁ ø1DÀ ø(Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓÊöøLkÈÁ 1ø«ÈÁ *ø¯¨…ÈÁ TimesNewRmn     ø¨Å  úBø¦ÁuøªoÓî€øLkÈÁ< A Comparison of MIL-STD 882C and MIL-STD 882D for Australianø«ÈÁ< ZS@`?7*#1???*o*L*FLZ?>?S7??o*L*FLZ?>?Z*>*Z?1"*7##7?ø¯¨…ÈÁ TimesNewRmn     ø¨Å  êBø¦ÁuøªoÓá	øLkÈÁ Defence Acquisitionø«ÈÁ T4'4;44T3:; . ! :;ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ØBø¦ÁuøªoÓž¨øLkÈÁ" Brenton Atchison, Peter A. Lindsayø«ÈÁ" H$0666N06*66<00$OB66*23ø¯¨…ÓF¡øLkÈÁ9 Software Verification Research Centre, School of Computerø«ÈÁ9 <6%N0$0N0$%0066H0*00%06H06%0<06766%H7S660%ø¯¨…ÓøLkÈÁ= Science and Electrical Engineering, University of Queensland,ø«ÈÁ= <00600066B00$00B66610$66O660$* 46%N6006*067ø¯¨…Ó›	šøLkÈÁ	 Australiaø«ÈÁ	 N6*$00ø¯¨…Ó‚	øLkÈÁ email: {brenton, pal}@ø«ÈÁ 0S146$0666605cø¯¨…Ó|	øLkÈÁ svrc.uq.edu.auø«ÈÁ *7$06607606ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ~	–
øLkÈÁ Abstractø«ÈÁ H8'!,2,!ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓR/øLkÈÁQ This report compares the use of the system safety standard MIL-STD 882C with MIL-ø«ÈÁQ 4) %**$*?*%% )%* %*)% !) &@  &%)  &)*%* J2.4< ***7!:) J3ø¯¨…ÓR“øLkÈÁU STD 882D for the use of Australian Defence Acquisition. It summarises the differencesø«ÈÁU .4<*)*<*)%) %*<)!%%)<&&)%%;%*) *)!*A@% % )%*%&)%% ø¯¨…ÓR÷øLkÈÁR between the standards and examines the implications of the transition from MIL-STDø«ÈÁR *%:%&)#)%$ %)*%* #%)*#&)%@)& $)%$@*%%+) $*$)%$%* +)$+?$J3.4<ø¯¨…ÓR[øLkÈÁK 882C to MIL-STD 882D in the Australian Defence Acquisition environment. Theø«ÈÁK ***72*2J2.4<2***<2)2)%2<* %%)2<&&)%%3;%*) *)2&*)**@%*24)%ø¯¨…ÓR¿øLkÈÁT conclusion drawn is that the approach taken by MIL-STD-882D relies on an acquisitionø«ÈÁT %*)%* *)*&;) )%)%%***%%)%)&)+(J3.4<***<%% *)%)%%+) *)ø¯¨…ÓR#øLkÈÁ[ environment that may not transfer to Australian conditions and that additional controls areø«ÈÁ[ %))+*?&))%@&()*%)!%*;* %&)%*)*** %)*)%%***)%%*)* %%ø¯¨…ÓR‡øLkÈÁ+ required to apply MIL-STD 882D effectively.ø«ÈÁ+ %*)%**%)*(J3.4<***<%%%)&(ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ¦Bø¦ÁuøªoÓRJøLkÈÁ	 Keywords:ø«ÈÁ	 A%*<*%. ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓ×JøLkÈÁ  system safety engineering, ø«ÈÁ !( &@ &%)&)))%%))ø¯¨…Óv	JøLkÈÁ defence acquisitionø«ÈÁ *%&)%%%%*) +)ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ‘!øLkÈÁ 1ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓÃ!øLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓE!øLkÈÁ Introductionø«ÈÁ '8!,288,!28ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ‘ËøLkÈÁ# US military standard MIL-STD-882C [ø«ÈÁ# B3F)-#).-).R939C...= ø¯¨…ÓTËøLkÈÁ 2ø«ÈÁ .ø¯¨…Ó‚ËøLkÈÁ8 ] is currently the most commonly used safety standard inø«ÈÁ8  # ).)-- -) F.$ ).GF..- .$). $()- #).-)..ø¯¨…Ó‘6øLkÈÁB Australian Defence acquisition. A revised standard, MIL-STD-882D [ø«ÈÁB B.$)).B()-))()..$..B)-$).#)-.).R939C...Bø¯¨…ÓŸ6øLkÈÁ 3ø«ÈÁ .ø¯¨…ÓÍ6øLkÈÁ ], has recently been released.ø«ÈÁ -)$)))--.().)()$(.ø¯¨…Ó‘ŸøLkÈÁc The purpose of this report is to describe the differences between the two standards, and to discussø«ÈÁc 9.(....$)..$)..#..)#).).).()-))$-)B()..)B.$)..(.$)...-$(.$$ø¯¨…Ó‘øLkÈÁO the implications should MIL-STD-882D be used in Australian Defence acquisition.ø«ÈÁO .)F.)(-.$$-..-R939C...B.).$)..B.#)).B()-))()..$..ø¯¨…Ó‘«øLkÈÁB An overview of the content of MIL-STD-882D is provided in Section ø«ÈÁB B..-)-)B.-)).-)--R939B...B$..-.)..3)(..ø¯¨…Ó»«øLkÈÁ 2ø«ÈÁ .ø¯¨…Óé«øLkÈÁ  and a summary of the mainø«ÈÁ (..)$.FG)-..)F).ø¯¨…Ó‘øLkÈÁ= differences between the two standards is provided in Section ø«ÈÁ= .)).()$.(B)(.-)B.$(..(.$$-.-.)..3)(..ø¯¨…ÓcøLkÈÁ 3ø«ÈÁ .ø¯¨…Ó‘øLkÈÁ
 . Section ø«ÈÁ
 2)(.-ø¯¨…ÓêøLkÈÁ 4ø«ÈÁ .ø¯¨…ÓøLkÈÁ  considers the likely use ofø«ÈÁ ).-$-)$-)-)-.$)-ø¯¨…Ó‘øLkÈÁZ MIL-STD-882D in the United States and issues of acquisition of Non-Development Systems areø«ÈÁZ R939B...B".#.)#B.)-#3(($#).."#$.)$".#()..$..#-#B..B*-)..F).#3-$)F$#))ø¯¨…Ó‘èøLkÈÁ discussed in Section ø«ÈÁ .$)-$$(..2)(.-ø¯¨…Ó¢èøLkÈÁ 5ø«ÈÁ .ø¯¨…ÓÐèøLkÈÁE . Based on these considerations, recommendations are made in Section ø«ÈÁE =)$(....($)(..#.().-$().GF)..)..$()F).)-3)(-.ø¯¨…ÓLèøLkÈÁ 6ø«ÈÁ .ø¯¨…ÓzèøLkÈÁ  onø«ÈÁ ..ø¯¨…Ó‘RøLkÈÁ: the use of MIL-STD-882D in Australian Defence acquisition.ø«ÈÁ: .)-$)-R939C...B.B.$().B)).)()).-#..ø¯¨…Ó‘õøLkÈÁ1 This report was prepared under contract CA33809 [ø«ÈÁ1 9-$').-(B($(.).().(.-.(().-))(=B.-...(ø¯¨…Ór
õøLkÈÁ 1ø«ÈÁ .ø¯¨…Ó 
õøLkÈÁ) ] with the Australian Defence Acquisitionø«ÈÁ) (A.'.)(B-$((.(B)).)))B(..$-.ø¯¨…Ó‘_øLkÈÁ Organisation.ø«ÈÁ B-).$(.-ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ‘OøLkÈÁ 2ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓÃOøLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓEOøLkÈÁ Content of MIL-STD-882Dø«ÈÁ H28!,8!2"^'C!8CH!222Hø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ‘úøLkÈÁ\ The stated purpose of MIL-STD-882D is to “ensure the identification and understanding of allø«ÈÁ\ 9.(($)).(.-..#)(.'R939C...B($(.()(.$-)(.)'.(.)(-.()..'...(#).-.-(.)(ø¯¨…Ó‘døLkÈÁc known hazards and their associated risks, and that mishap risk is eliminated or reduced to acceptedø«ÈÁc -..B..)().$)...()$#.))).$-$).--)F$.).$-$(F.().-)..().-))().).ø¯¨…Ó‘ÎøLkÈÁT levels.” To achieve this goal, a minimal set of requirements are defined as follows:ø«ÈÁT )-)$)9.().)-).$-.))F.F)#)-).-)F).$)).(-).)#-.A$ø¯¨…Ó'qøLkÈÁ 1.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓlqøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ½qøLkÈÁQ Documentation of the system safety approach. Such documentation will describe theø«ÈÁQ B.).F).)..2-3-)3$-$)F3$))-3)...)).33.).3-.).F).(.-3B3-)$(-)3.(ø¯¨Á ø1DÀ ø(Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓ¥öøLkÈÁ 2ø«ÈÁ *ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøLkÈÁV implementation of MIL-STD-882D requirements, including how system safety is integratedø«ÈÁV F.)F).)-..R939C...B)..)F).$.(.-.-..B$-$)F$))-$-)-().ø¯¨…ÓÑvøLkÈÁV into the overall program and how hazards and risks are communicated to and accepted byø«ÈÁV ...(.-)(-.-)F)....B.)()-$)..$-$))(.GF..)))..)..))().)..-ø¯¨…ÓÑßøLkÈÁZ the appropriate authority. Guidance on issues to consider is provided in Appendix A of theø«ÈÁZ .)(..-.)))-.--B..).()..$#.)$.)-.#.)$..-.(..B-.).-.B.-)ø¯¨…ÓÑHøLkÈÁ	 standard.ø«ÈÁ	 $).-)-ø¯¨…Ó;ëøLkÈÁ 2.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€ëøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑëøLkÈÁX Systematic identification of hazards, encompassing all hazard sources and system phases.ø«ÈÁX 3-$)F)) -).().. -!.)().$!(.).F.)$$.-!)!-)().!#..()$!(..!$-$)F!..)$)$ø¯¨…ÓÑVøLkÈÁA Hazard identification is a responsibility of all program members.ø«ÈÁA B)()..(.)(..$))$-..#.-.(-.-)FF*F.)$ø¯¨…Ó;øøLkÈÁ 3.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€øøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøøLkÈÁ Assessment of mishap risk ø«ÈÁ B$$)$$F).+-+F$.).*$-+ø¯¨…ÓøøLkÈÁ: to determine the potential impact of hazards on personnel,ø«ÈÁ: -,.()F.)+.),.-)-)+F.)),-,.)().$,..+.)$...(ø¯¨…ÓÑcøLkÈÁ[ facilities, equipment, operations, the public, and the environment. A risk assessment modelø«ÈÁ[ )()$).-.F)...((-.$.).-.)(...)).-..F).B$-)$$($$F).F..)ø¯¨…ÓÑÌøLkÈÁ is ø«ÈÁ $(ø¯¨…Ó7ÌøLkÈÁS suggested  in Appendix A, including mishap severity and probability levels and riskø«ÈÁS $.--)$).'(.(B.-).-.(B(.)...-(F$.).(#)-)-()..(..-).-()-)#()..'$-ø¯¨…ÓÑ6øLkÈÁT acceptance levels. However, the project is free to define acceptable risk levels andø«ÈÁT ))))-)-))4)-)$5B.A)-)5-)6.-()5$5()6.6.(.(6)())-)-)6$-6)-)$6).-ø¯¨…ÓÑŸøLkÈÁ acceptance authorities.ø«ÈÁ ))))-)-))(..-)$ø¯¨…Ó;BøLkÈÁ 4.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€BøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑBøLkÈÁZ Identification of mishap risk mitigation measures. The order of precedence is to eliminateø«ÈÁZ .).()..-F$.).$-F-)..F))$.)$9-).-)--)().)-))$.(F.))ø¯¨…ÓÑ¬øLkÈÁ, through design, incorporate safety devices, ø«ÈÁ, ...-.B.($-.B-)...()A$))-B.)-)($Bø¯¨…Óå	¬øLkÈÁ$ provide warning devices then developø«ÈÁ$ ..-.)CB)-.-C.)-)($C-).C.)-(..ø¯¨…ÓÑ	øLkÈÁ procedures and training.ø«ÈÁ ..)(..)$)-.)..-ø¯¨…Ó;¸	øLkÈÁ 5.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€¸	øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑ¸	øLkÈÁV Reduction of mishap risk to an acceptable level. The risk mitigation approach is to beø«ÈÁV =)..)..(-(F$.).'$-(.)).)())(.(.)()-)(8.)($-)F-)..)).-.().($).).)ø¯¨…ÓÑ#
øLkÈÁA mutually agreed to by both the developer and the program manager.ø«ÈÁA F..)-)-))...-....).)-)..()-.-)..-)FF).)-)ø¯¨…Ó;Å
øLkÈÁ 6.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€Å
øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑÅ
øLkÈÁ[ Verification of mishap risk reduction through appropriate analysis, testing, or inspection.ø«ÈÁ[ C(()..-F$.).$-)..(-.-..-.).-..))).(-$$)#.-..#.)(-.ø¯¨…Ó;iøLkÈÁ 7.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€iøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑiøLkÈÁY Review of hazards and acceptance of residual mishap risk by an appropriate authority. Theø«ÈÁY =)-)B..)()-$)-.)())-).().($.-)F$.(.$-.-).)..-.)))-.--9.(ø¯¨…ÓÑÔøLkÈÁ= authority for risk acceptance should include the system user.ø«ÈÁ= )..--.$-))))-)-))$-..--).-).)$-$)F.$)ø¯¨…Ó;vøLkÈÁ 8.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€vøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑvøLkÈÁ[ Tracking of hazards and residual mishap risk. A tracking system for hazards, their closure,ø«ÈÁ[ 9))-.-..)().$(..)$..(F$.).$-B))-.-$-$)F..)().$.().#-)ø¯¨…ÓÑáøLkÈÁZ and residual mishap risk must be maintained throughout the system life cycle.  The programø«ÈÁZ )..)$..(F$.).$-F.$.)F).(.)--..-....)$-$)F))-))9.)-.-)Fø¯¨…ÓÑJøLkÈÁR manager must keep the system user apprised of the hazards and residual mishap riskø«ÈÁR F).)-)F.$-))..)$-$)F.$))..$(...(.)()-$)..)#.-)F$.)-$-ø¯¨…Ó¥íøLkÈÁa Appendix A contains additional guidance on safety activities. The guidance is indicative only andø«ÈÁa B..)..-B).-).$)-.-.)-.-).()..#)(-))-)$8.)-..(.))$.-)(-).--)..ø¯¨…Ó¥WøLkÈÁ- needs to be included in contracts explicitly.ø«ÈÁ- .)).$.-)-)-.)..)-.)($(..(-ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ¥HøLkÈÁ 3ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓ×HøLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓYHøLkÈÁ1 Differences between MIL-STD-882C and MIL-STD-882Dø«ÈÁ1 H"",,,8,,'8,!I,,8^'C!8CH!222H288^'C!8CH!222Hø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ¥òøLkÈÁ The ø«ÈÁ 9.(.ø¯¨…ÓbòøLkÈÁQ revision of MIL-STD-882C to MIL-STD-882D was largely driven by the tenets of U.S.ø«ÈÁQ )-#...-.R939B...=...R939B...B.B)$.)-)-..-)...-/.).)-)#/./B3ø¯¨…Ó¥]øLkÈÁ\ Defence Acquisition Reform and requirements of new Defence Standards. In particular, the aimø«ÈÁ\ B)).()$B).-#..$=(.F$)..%)..)F).$%-%-)B%B))-))%2).-)-$%.%.)).)$.(%)Fø¯¨…Ó¥ÆøLkÈÁ[ was to eliminate strict guidance, providing greater flexibility in the acquisition process.ø«ÈÁ[ B)$.)F.))$(-..(.))-.--.--))))-.-..)()..$....)($$ø¯¨…Ó¥iøLkÈÁK The major differences between MIL-STD-882D and MIL-STD-882C are as follows:ø«ÈÁK 9.(F)--)).)($.(B)).R939C...B)..R939C...=)))$..B#ø¯¨…Ó;øLkÈÁ 1.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøLkÈÁW No formal system safety plan is required. Instead, the system safety approach is agreedø«ÈÁW B.%.F)%$-$)F%$))-&.(.&#&(..).&.$)(.&-)&$-$)F&$))-&).-.)(.&#&)-)).ø¯¨…ÓÑwøLkÈÁ between Contractor and Project.ø«ÈÁ .)B)(.=..)(-)..2-)(ø¯¨…Ó;øLkÈÁ 2.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøLkÈÁJ All detailed tasks from MIL-STD-882C have been removed, including detailedø«ÈÁJ BL.(().L)$-$L.FLS939C...=L.)-)L.)).M)F.-).M.(.-.-M.)().ø¯¨…ÓÑ„øLkÈÁY requirements on safety management processes, hazard analyses and verification activities.ø«ÈÁY ).-)F).# .. #)(- F).)-*F). ..)($$($ .)()- ).(-$)$ (.. -)))..)),)$ø¯¨…ÓÑîøLkÈÁ  As a result, the standard is no ø«ÈÁ  B$)($..)#(..).$..ø¯¨…Ó8îøLkÈÁ< longer  tailorable and the minimal requirements provided areø«ÈÁ< ..-))-)-))-.-)F.F)).-)F).$..-.).()ø¯¨…ÓÑWøLkÈÁ
 mandatory.ø«ÈÁ
 F)..).-ø¯¨…Ó;úøLkÈÁ 3.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€úøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑúøLkÈÁY No formal safety program deliverables are mandated. Each project is free to determine theø«ÈÁY B..F)$((-..-)F.)-))-($))F)..))-8))-.-)($()..))F.).)ø¯¨…ÓÑdøLkÈÁ data that is required.ø«ÈÁ .)).($).-(.ø¯¨…Ó;øLkÈÁ 4.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøLkÈÁT There is an increased recognition of the system user’s role in safety management. Inø«ÈÁT 9.()-$-)...)))#)..)).-...-.-.)-$-$)F..$)$.-)-..#))-.F).)-*F)...ø¯¨…ÓÑqøLkÈÁY particular, the risk acceptance authority must include the system user in the mishap riskø«ÈÁY .))-($.)#$-$)())-).()$)-.--$F.$$.).-)$.)%$-$)F%.$)%-%-)%F$.).%$-ø¯¨…ÓÑÛøLkÈÁ review.ø«ÈÁ )-)Bø¯¨…Ó;}øLkÈÁ 5.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€}øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑ}øLkÈÁX The focus of risk assessment is on mishap risk, rather than hazard risk. This provides aø«ÈÁX 9.($-).$$-$$-$)$#)$$F).#$$..$F$.(.$$-%(.(%-).%.)().%$-%8.$$..-.($%)ø¯¨Á ø1DÀ ø(Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓÊöøLkÈÁ 3ø«ÈÁ *ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ½øLkÈÁO means for reducing risk by controlling mishaps after engineered system failure.ø«ÈÁO F)).$.)..(.-$-.-)..-.-F$.).$(().--))).$-$)F)-)ø¯¨…Ó‘¯øLkÈÁ` The impact of these changes is that there is much greater freedom to implement a suitable safetyø«ÈÁ` 9.( F.)) - .)#) ).(.-)$ $.(.)) $ F.). -))(!)(..F!.!F.)F).!)!$-).)!$((-ø¯¨…Ó‘øLkÈÁb program. As a result, greater responsibility is placed on Contractors to define appropriate systemø«ÈÁb ..-)F!B$!)!)$-!-))) )#...#.-!$"-()).".."<..)(.$".".(-)").-.-()!$-$)Fø¯¨…Ó‘ƒøLkÈÁ^ safety programs and on the Project Office to assess and monitor adequacy of the programs. Thisø«ÈÁ^ $)(-!..-)F$!)..!.. .)!2-)(!B()".!)$#)$$!).."F..-")-)..()-"."-)"..-)F$!9.$ø¯¨…Ó‘ìøLkÈÁ` increased responsibility may lead to greater thought being applied to safety program definition.ø«ÈÁ` .)))#).')$.-.$.-'F).')).'.'-()(&...-.'.(.-').-(.'.&$()-'..-)F'.)...ø¯¨…Ó‘VøLkÈÁc However, successful application clearly relies on suitable expertise and motivation of all parties.ø«ÈÁc B.B)-)$.)()$#.).-)(..)()-))#..$-).))-.)$)(..F.-)-..).()#ø¯¨…Ó‘øøLkÈÁP The MIL-STD-882D changes also place greater emphasis on managing safety through ø«ÈÁP 9.(R939C...B).).-)$)$.-)()-))))F..)$$.-F).)-.-$))-...-.ø¯¨…ÓHøøLkÈÁ cooperativeø«ÈÁ )...((-)ø¯¨…Ó‘cøLkÈÁ\ decision-making. Ideally, this will focus the safety program on active risk reduction tasks.ø«ÈÁ\ .))$..F*-.-7.))-6.$6A6.).$6.)6$()-7..-)F7..7)(-)7$-7)-.)..6)$-$ø¯¨…Ó‘ÌøLkÈÁb However, a danger is introduced that inadequate evidence of risk reduction is produced, leading toø«ÈÁb B.B)-)).).-)$...-))..(.).)-.)))-.(.)).$-)-.)..$-..-)).()..-.ø¯¨…Ó‘6øLkÈÁc difficulties in system certification, maintenance and modification, and possibly unsafe operationalø«ÈÁc .(.)$.$-$)F ))().. F)-).(.))).. F..)(-. ).- ..$#-- ..$)) ..((-.)ø¯¨…Ó‘ŸøLkÈÁ systems.ø«ÈÁ $-$)F$ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ‘øLkÈÁ 4ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓÃøLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓEøLkÈÁ U.S. use of MIL-STD-882Dø«ÈÁ H88',2"^'C!8CH!222Hø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ‘:	øLkÈÁ^ The transition in the U.S. from MIL-STD-882C to MIL-STD-882D is part of an overall acquisitionø«ÈÁ^ 9.().#....)B3.FR939C...=.R83:C...B$.).)..-))().-#..ø¯¨…Ó‘¤	øLkÈÁ` reform program and must be seen in the context of the U.S. Defence acquisition environment. Someø«ÈÁ` )-F..-)F)..F.$.)$))...))..)...)B3A))-))().-$..).-..F).3.F)ø¯¨…Ó‘
øLkÈÁ1 of the factors to consider include the following:ø«ÈÁ1 .-))).$.)..#.(.(-.).)..B.-ø¯¨…ÈÁ Symbol          ø¨Å  ¸Bø¦ÁmøªoÓ'¸
øLkÈÁ ·ø«ÈÁ *ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓQ¸
øLkÈÁ  ø«ÈÁ lø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ½¸
øLkÈÁL MIL-STD-882D makes use of U.S. Civil Law, requiring that mishap risk must beø«ÈÁL R939B...B9F*-)$8.$)8.8B38=-87)B8(...-8-)8F$.)-8$-8F.$8.)ø¯¨…Ó½"øLkÈÁ\ identified, evaluated, and mitigated to a level acceptable (as defined by the system user orø«ÈÁ\ .)-).)-)-)(.).-F-))..()-)))().).()$.(.)..--)$-$)F.$).ø¯¨…Ó½‹øLkÈÁ[ customer) to the appropriate authority and compliant with federal laws. This requirement isø«ÈÁ[ ).$.F)..))....()(..--)..).F.).B.)-)()B$9-$).-)F).$ø¯¨…Ó½ôøLkÈÁV supported by mandatory procedures for acquisition programs, in DoD Regulation 5000.2-Rø«ÈÁV $....)-.-F)..).-..)(..)$.().-$..-.-)F$.B.B=)-.)...-...=ø¯¨…Ó½^øLkÈÁ [ø«ÈÁ ø¯¨…ÓÜ^øLkÈÁ 4ø«ÈÁ .ø¯¨…Ó
^øLkÈÁ] ]. It is assumed that the threat of legal liability will ensure that Projects and Contractorsø«ÈÁ] $)$$.F).-).).)(.)-)).-B).#.)-)2-)($)-.=..)(-$ø¯¨…Ó½ÇøLkÈÁ follow best practice.ø«ÈÁ ..B.($-)())ø¯¨…Ó½jøLkÈÁR The law is particularly applicable in Total System Responsibility contracts, whereø«ÈÁR 9.(<)B;$<-)).)-<)..))-);.<9-)=3-$)F==)$...#.-=)..)($=B-))ø¯¨…Ó½ÔøLkÈÁT developers assume total responsibility for the system, receiving limited engineeringø«ÈÁT .)-)..($:($$.F):.)9)$-..#.-:.:-):$-$)F;)()-.-;F)-;).-.)(.-ø¯¨…Ó½>øLkÈÁZ direction. In some cases, the developer may choose to limit liability by closely involvingø«ÈÁZ .()..!.!$.F)!))$)$ .) .)-).-)!F)-!)...$)!.!F!)--!.-").#)-".-.-.-ø¯¨…Ó½§øLkÈÁ/ the U.S. Government in the procurement process.ø«ÈÁ/ .)B3B.-).F)..-)..)-)F)..-))#$ø¯¨…ÈÁ Symbol          ø¨Å  ¸Bø¦ÁmøªoÓ'RøLkÈÁ ·ø«ÈÁ *ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓQRøLkÈÁ  ø«ÈÁ lø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ½RøLkÈÁP The system safety process developed around previous revisions of MIL-STD-882 areø«ÈÁP 9.(0$-$)F0$)(-0..()$$0-)-)..(.1)....1-)-..#1)-#.-$1.0R939C...1))ø¯¨…Ó½»øLkÈÁZ expected to be well known and accepted through industry, particularly Defence contractors.ø«ÈÁZ )..)()..-)B)-..B.)..())(.(.-..-..-.$--)).)-B)).)()..)).$ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ÈBø¦ÁuøªoÓ½+øLkÈÁ Project Offices are also ø«ÈÁ 8!2,,%H!!-,'%,",%,'2%ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ­+øLkÈÁ? expected to be familiar with safety programs. In fact, detailedø«ÈÁ? )..)))-#.".)$)F($B.$$((-$..-)F$$.$))$.()).ø¯¨…Ó½—øLkÈÁO tasks of MIL-STD-882C not included in MIL-STD 882D can now be found in modifiedø«ÈÁO )$-$#."R939C...=#..#-).-).#.#R939B#...B#)).#-.B#.)"....".#F..).ø¯¨…Ó½øLkÈÁ- form in the US Defense Acquisition Deskbook [ø«ÈÁ- .F.-)B3B)).$)A)..$-.B)$-...-ø¯¨…Ó§
øLkÈÁ 5ø«ÈÁ .ø¯¨…ÓÕ
øLkÈÁ ].ø«ÈÁ ø¯¨…ÈÁ Symbol          ø¨Å  ¸Bø¦ÁmøªoÓ'«øLkÈÁ ·ø«ÈÁ *ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓQ«øLkÈÁ  ø«ÈÁ lø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ½«øLkÈÁW The U.S. Department of Defence has an extensive safety regulatory process and technicalø«ÈÁW 9.(B3B).(F).-B)).)).)$).)-)-$-)$((-)-.).-..()$$)..))-.))ø¯¨…Ó½øLkÈÁY review boards, and provides a valuable source of guidance for determining suitable systemø«ÈÁY )-)B..(.$)..-.-.)#)-).(.)$.-))--..)-))..))F..-$-(.)$-#)Fø¯¨…Ó½~øLkÈÁ safety programs.ø«ÈÁ $)(-..-)F$ø¯¨…Óª!øLkÈÁY Due to these factors, the short-term use of MIL-STD-882D is not expected to change the USø«ÈÁY B.)(.'.)#)()).#(-))$.-)F).$)).(R939C...B)$)..()..()).)-)).(.-)).))B3ø¯¨…Óª‹øLkÈÁ^ Defence acquisition process significantly. However, changes in the long term are expected whenø«ÈÁ^ B)).() )(..$.- .-))$# #-.))-- B.B)-) ).(.-)$ . .) ..-!(F!))!).-)().!B.(.ø¯¨…ÓªôøLkÈÁ5 safety programs begin to vary from accepted practice.ø«ÈÁ5 $)(-..-)F$.)-..-)-.F)))).)..)(()ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ‘åøLkÈÁ 5ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓÃåøLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓEåøLkÈÁ& Acquisition of Non-Development Systemsø«ÈÁ& H,88'!281"H28!H,2,28S,8!82'!-R'ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ‘øLkÈÁY The introduction of MIL-STD-882D also has implications for Australian acquisition of Non-ø«ÈÁY 9.(0--..(.-0./R939C...B0)$.0.($0F.()..$/-1B.$().1)(..$.-1.1B-.ø¯¨…Ó‘úøLkÈÁe Development systems, particularly U.S. systems. In this instance, the close level of interaction withø«ÈÁe B)-)..F).$-$)F$.)(.(-B3$-$)F$..$.$).)(-)(.$))-)..)()..A.ø¯¨…Ó‘cøLkÈÁ[ Contractors expected by MIL-STD-882D cannot be relied upon, particularly for acquisition ofø«ÈÁ[ =..()-$*)..()(.+.-+R939C...B+))...+.)*((.,..-.,.()-)-,.+)).-#..,-ø¯¨…Ó‘ÍøLkÈÁ_ existing systems. Given the greater freedom in the safety approach, DAO also cannot assume thatø«ÈÁ_ ).#.-$-$)F$B-)..)-)()))..F..)#)(-)..-)).BBB($.))..-($$.F).(ø¯¨…Ó‘6øLkÈÁa use of the standard has produced a suitably rigorous safety program. Instead, assurance of safetyø«ÈÁa .$)!-!-)!#)..(.!-)$!-..-)).")!$.)--"-..-$"$((-"..-)F#.$))."($$-).))!."$()-ø¯¨…Ó‘ øLkÈÁa will need to be assessed through documentation. Significant effort may be required to review suchø«ÈÁa B.))..-))#$)#$)..-.-...).F).(..3-.().).F)-.))..)..)-)B$-).ø¯¨Á ø1DÀ ø(Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓ¥öøLkÈÁ 4ø«ÈÁ *ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ¥øLkÈÁC documentation or produce it in instances where it is not available.ø«ÈÁC ..).F).)..--...().-$).)($B.()$.-)-))-)ø¯¨…Ó¥¯øLkÈÁf In some cases, it may be possible to liase with other certification agents where pre-certified systemsø«ÈÁf .$/F)))$)$F)-.)..$$.(.)$)A-.-))))(..)-).$B.)(.)))(.$-$)F$ø¯¨…Ó¥øLkÈÁY are acquired with limited modifications. However, care should be taken to ensure that anyø«ÈÁY ))4().-(.4B.4F).4F..)(..$5B.B)-)4)))5$-...4.)4)-).5.4).$-)4.(5).-ø¯¨…Ó¥ƒøLkÈÁ' assumptions on the operational use and ø«ÈÁ' )$$.F..-$...)-.))..(.#))-.ø¯¨…Ó[ƒøLkÈÁ environment are not violated.ø«ÈÁ ).--.F).))-.--().ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ¥søLkÈÁ 6ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓ×søLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓYsøLkÈÁ Conclusions and Recommendationsø«ÈÁ H28,8'28'278H,,2RS-882!28'ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ¥øLkÈÁS The revision of MIL-STD-882C to MIL-STD-882D applies the principles of U.S. Defenceø«ÈÁS 9.(7)-#..7-7R939B...=8.8R939B...B8)..)$7.(8..(.)$8-8B38B)).()ø¯¨…Ó¥ˆøLkÈÁ[ acquisition reform to system safety programs by reducing standard requirements to a minimalø«ÈÁ[ ))..$..+)-F+.+$-$)F+$)(-+..-)F$+.-,)..).-,$)..(.,).-)F).#,.,(,F.F)ø¯¨…Ó¥òøLkÈÁ` number. This presents much greater freedom to the Contractor and Project Office to implement theø«ÈÁ` ..F.)9-$-)#)-$F.).-))(()..F..)<..)(.)..2-)(B().F.)F)..(ø¯¨…Ó¥[øLkÈÁ0 safety program in accordance with project needs.ø«ÈÁ0 $)(-..-)F.))(.-).))A..-)(-)).$ø¯¨…Ó¥þøLkÈÁ[ However, the freedom offered by MIL-STD-882D is accompanied by a greater responsibility forø«ÈÁ[ B.B)-)!.)!))..F".().!.-"R939C...B"$"))(.F.).).".-")"-)((")$..-$--"-ø¯¨…Ó¥høLkÈÁ` each project to define and execute a suitable safety program. It is not sufficient to invoke theø«ÈÁ` ))).)--)()-).).())..().)(.)())$-).))$((-)..-)F*)$)..)$.)).(.(.-.-)*.)ø¯¨…Ó¥ÒøLkÈÁ^ standard and assume that an adequate safety program will be followed. Instead, the Project andø«ÈÁ^ $).-)-%)..$)$$.F)%.(%)-%).(..()%#)(-%..-)F%B%-)%-.B).&.$)).%.(&3-)(&)-.ø¯¨…Ó¥;	øLkÈÁ` Contractor must take an active role to define an approach to safety engineering and ensure it isø«ÈÁ` =..()-$F.$$)-)$).$)(-)#.)$.#.).)#).$)-.-)).$.%$((-%).-.)).-%)..%(.$-)%$$ø¯¨…Ó¥¤	øLkÈÁ\ implemented. Defining a suitable safety program is a significant challenge since recommendedø«ÈÁ\ F.)F).).)B)..-)))$.)-))#))-)..-)F)$)))#-.)(.().((.-)*$.()*)).GF)..).ø¯¨…Ó¥
øLkÈÁ practice for safety programs ø«ÈÁ .)()).$))-..-)F$ø¯¨…Ó×
øLkÈÁH varies substantially, particularly for software-intensive systems. To beø«ÈÁH -))$$..#)-)-.))-(--$-A)).)-$-)$-$)F$9..(ø¯¨…Ó¥w
øLkÈÁ? successful, access to specialist skills and knowledge is vital.ø«ÈÁ? $.))($#.))()$$.#.)()#$-#)..-..B(.-)$-)ø¯¨…Ó¥øLkÈÁZ The approach taken by MIL-STD-882D relies on an associated Defence acquisition environmentø«ÈÁZ 9.(").-.)(.#)-).#.-#R939C...B#))$#-.#).")$$-))(.#B)).))")).-#..#(.-..F).ø¯¨…Ó¥„øLkÈÁi that may not transfer to Australian conditions. In particular, it assumes that acquisition is carried outø«ÈÁi .(F)-..)-$(.B.#().)-..-.$..))-(($$.F)$.(().-$..$)()...ø¯¨…Ó¥îøLkÈÁ` with threat of litigation under U.S. Civil Law and that best practice will be maintained throughø«ÈÁ` B.$.))$.$-)..%-..(%B3%=-%7)B%)..$.(%.($%-()))%A&.)&F)-)-).%.-.-.ø¯¨…Ó¥WøLkÈÁ] industry and government culture and regulatory oversight. Without such a suitable acquisitionø«ÈÁ] ...#-,)..,-.-).F).,)--),(..,)-.)--,.-)$-.+W...-$-).-),$.)-)-().-$..ø¯¨…Ó¥ÁøLkÈÁb environment, the use of MIL-STD-882D increases the risk that a deficient or over-protective safetyø«ÈÁb ).-..F)..).#).R939C...B.)()$($-)$-.().)()-..-)..)(-)$((-ø¯¨…Ó¥*øLkÈÁ] program will be implemented. Furthermore, the lack of detailed guidance may lead to increasedø«ÈÁ] ..-)F$B$.($F.)F).).$3--)F.)#.)#))-$.$-))).$-..(.))$F)-%)).%.%-)))#).ø¯¨…Ó¥“øLkÈÁX costs when implementing the program, disputes with Commonwealth or certification delays.ø«ÈÁX ).$$B.).F.)F)..-.)-.-)F.$.-)$A.=.FF..B)).-)()(...()-$ø¯¨…Ó¥6øLkÈÁ\ Accordingly, we do not recommend the use of MIL-STD-882D unless adequate controls are put inø«ÈÁ\ B)).-.--B)....().GF)...).#).R939C...B..)$$).)-.))).-.#)).-.ø¯¨…Ó¥¡øLkÈÁ9 place. Such controls would include at least the followingø«ÈÁ9 .)()3.)-).--$B.-..(..)))($.(-.A.-ø¯¨…ÓÅ	¡øLkÈÁ ::ø«ÈÁ ø¯¨…Ó;CøLkÈÁ 1.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€CøLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑCøLkÈÁP For development systems the approach should be documented and agreed in a Systemø«ÈÁP 3.*.)-)-.F).*$-$)F$*.)*(..-)).)$..-.*.))..).F).).))..))-)).*.+)+3-$)Fø¯¨…ÓÑ®øLkÈÁQ Safety Management Plan (SSMP) prior to contract. Comparison with other approachesø«ÈÁQ 3)(-+R).)-)F).+3)-+33Q3+--+.+).-)(+=.F.)$-.+B.,..)+).-.))-)$ø¯¨…ÓÑøLkÈÁV recommended by other international standards may be useful in determining the adequacyø«ÈÁV )).FF)..)..-..).).(..(#).-)-$F)-.).$)..-))F..-.)).)-.))-ø¯¨…ÓÑøLkÈÁR of defined processes. Where development of SSMP is a significant undertaking, pre-ø«ÈÁR .0.(-).0-.)($$($0W-)(0.)-)..F).0-033R30$0)1#-.))-1..-))-.-1.)ø¯¨…ÓÑêøLkÈÁ contract funding to preferred ø«ÈÁ )..)(....-..(().ø¯¨…Ó	êøLkÈÁ tenderer(s) may be required.ø«ÈÁ )..((#F)-.))..).ø¯¨…Ó;øLkÈÁ 2.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøLkÈÁR For development systems, the Commonwealth should take an active role in the safetyø«ÈÁR 3.+.)-)-.F).+$-$)F$+.)+=.FF..B)).,$..-.+)-),).+))-),-)+.,-),#))-ø¯¨…ÓÑ÷øLkÈÁQ management process, as recommended by MIL-STD-882D. Where necessary, training andø«ÈÁQ F).)-*F)...))#$($().GF)..)..-R939B...BW.)).())#$)-(..-)..ø¯¨…ÓÑaøLkÈÁ? support services should be sought to obtain suitable expertise.ø«ÈÁ? $....#)-)($$-....)#..-....).$.)-))..($)ø¯¨…Ó;øLkÈÁ 3.ø«ÈÁ .ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ€øLkÈÁ  ø«ÈÁ Qø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓÑøLkÈÁW For development systems, the results of the system safety program should be documented.ø«ÈÁW 3..)-)-.F).$-$)F$.))#.$--)$-$)F$))-..-)F$.....).-).F).).ø¯¨…ÓÑnøLkÈÁW Program results should be assessed by a Third Party suitably qualified to determine theø«ÈÁW 3.-)F%)$.$%#....%.)%)$#)$$(.&.-&)%9..&3(-&$-(.-&..))-&.&-))F.)&.)ø¯¨…ÓÑ×øLkÈÁ[ adequacy of the safety program and validity of results. If possible, the assessor should beø«ÈÁ[ ).)..()-.-)$((-..-)F)..-).-.)$-$  ..$$-).( )$#)$#. #..-. .)ø¯¨…ÓÑAøLkÈÁF engaged throughout the project to provide feedback in a timely manner.ø«ÈÁF ).-)-)....-....(..((...-.))).-))-.)F)-F)..)ø¯¨…ÓÑãøLkÈÁT For non-development systems, documentation justifying acceptable risk should also beø«ÈÁT 3.,....)-)..F).,$-$)F$,..).F).)..+.#-.--))))-)-),$--$...--)$.-.)ø¯¨…ÓÑNøLkÈÁW made available and assessed prior to system acquisition. The assessment should validateø«ÈÁW F).)$)-)).)$).-$)$#)$#).$--$.$$-$)F$)).-$..#9.($)$#)$$F).#$..-.%-)-))ø¯¨…ÓÑ·øLkÈÁQ that any assumptions made in the operational use or environment of the system areø«ÈÁQ .(1).-2)$$.F...$2F).)2.1.(2..().-)2-$)2-2).-..F).2.1.)1$-$)F2))ø¯¨…ÓÑ øLkÈÁ$ maintained in the target conditions.ø«ÈÁ$ F).)-).--)(-)(.....$ø¯¨Á ø1DÀ ø(Àø%CtÓd d ø*uÃ  ø)vÕ  €?  €?ø+wÀ øNpÁ øKzÀøjÀ ø	yÀøjÀ ø	cÀøTã  Î ˜—øBÀ øShÀüø,{…ÈÁ TimesNewRmn     ø¨Å  ¦Bø¦ÁuøªoÓÊöøLkÈÁ 5ø«ÈÁ *ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ‘øLkÈÁ 7ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓÃøLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓEøLkÈÁ Acknowledgementsø«ÈÁ H,882I,82,R,8!'ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ‘ øLkÈÁ` The authors gratefully acknowledge the Australian Department of Defence, Directorate of Softwareø«ÈÁ` 9.()-..$-))--))-..B).-).)B.#)).B(.)F)..B()-))B().()-3.B))ø¯¨…Ó‘
øLkÈÁ6 Acquisition Reform for sponsorship of this report and ø«ÈÁ6 B)..#..=(-F.$..-$.$.-..$)..(..ø¯¨…ÓŽ

øLkÈÁ' Axel Wabenhorst, Chris Edwards and Tonyø«ÈÁ' B.(W(.)..-#=.$7.B)-$)..8..-ø¯¨…Ó‘søLkÈÁ7 Cant for comments on previous revisions of this report.ø«ÈÁ7 =)..(.GF).$...)-..$)-#..$-.$(..ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓ‘KøLkÈÁ 8ø«ÈÁ 2ø¯¨…ÈÁ Arial         Bdø¨Å  ÈBø¦ÁuøªoÓÃKøLkÈÁ  ø«ÈÁ ‚ø¯¨…ÈÁ TimesNewRmn   Bdø¨Å  ÈBø¦ÁuøªoÓEKøLkÈÁ
 Referencesø«ÈÁ
 H,",,,8,,'ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ}ÕøLkÈÁ 1ø«ÈÁ ,ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ©ÕøLkÈÁ  ø«ÈÁ †ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ/ÕøLkÈÁB Australian Department of Defence Contract CA38809, Specifying and ø«ÈÁB B.$)).B)-)F)..B()-))=.-))=B.-...3-))-.-)..ø¯¨…Ó\ÕøLkÈÁ Acquiring Safety-ø«ÈÁ B).-.-3)(.ø¯¨…Ó/?øLkÈÁ( Critical Software Systems, January 1999.ø«ÈÁ( =()3-B()3-$)F$%(..(-....ø¯¨…Ó}øLkÈÁ 2ø«ÈÁ ,ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ©øLkÈÁ  ø«ÈÁ †ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ/øLkÈÁ Uø«ÈÁ @ø¯¨…ÓoøLkÈÁ .ø«ÈÁ ø¯¨…Ó„øLkÈÁ Sø«ÈÁ 1ø¯¨…ÓµøLkÈÁ .ø«ÈÁ ø¯¨…ÓÊøLkÈÁ  Department of Defense. ø«ÈÁ @',&D',+@&'+"'ø¯¨…Ó5øLkÈÁ MIL-STD-882C, ø«ÈÁ P617@,,,;ø¯¨…Ó
øLkÈÁ# System Safety Program Requirements,ø«ÈÁ# 1+"'D1''+0,+'D;',,'D',"ø¯¨…Ó/uøLkÈÁ January 1996.ø«ÈÁ "',+'+,,+,ø¯¨…Ó}CøLkÈÁ 3ø«ÈÁ ,ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ©CøLkÈÁ  ø«ÈÁ †ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ/CøLkÈÁ Uø«ÈÁ @ø¯¨…ÓoCøLkÈÁ .ø«ÈÁ ø¯¨…Ó„CøLkÈÁ Sø«ÈÁ 1ø¯¨…ÓµCøLkÈÁ .ø«ÈÁ ø¯¨…ÓÊCøLkÈÁ  Department of Defense. ø«ÈÁ @',&D',+@&'+"'ø¯¨…Ó5CøLkÈÁ Draft MIL-STD-882D, ø«ÈÁ ?&P717@,,,@ø¯¨…ÓnCøLkÈÁ System Safety, ø«ÈÁ 1+"'D1'&+ø¯¨…ÓŒCøLkÈÁ April 1999.ø«ÈÁ @,+,,,ø¯¨…Ó}	øLkÈÁ 4ø«ÈÁ ,ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ©	øLkÈÁ  ø«ÈÁ †ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ/	øLkÈÁP U.S. Department of Defense. DoD 5000.2-R, Mandatory Procedures for Major Defenseø«ÈÁP @1@',&D',+@&'+"'@,@,,,+,;P',+'++1+''+,'",O&+@&&,"&ø¯¨…Ó/z	øLkÈÁ= Acquisition Programs and Major Automated Information Systems.ø«ÈÁ= @',,",,0,+'D"'+,P&+@+,D'&,,,D',,1+"'D"ø¯¨…Ó}G
øLkÈÁ 5ø«ÈÁ ,ø¯¨…ÈÁ Arial           ø¨Å  ¸Bø¦ÁuøªoÓ©G
øLkÈÁ  ø«ÈÁ †ø¯¨…ÈÁ TimesNewRmn     ø¨Å  ¸Bø¦ÁuøªoÓ/G
øLkÈÁ9 U.S. Department of Defense. Defense Acquisition Deskbook.ø«ÈÁ9 @1@',&D',+@&'+"'?'',!'@'+,",,@&"+,,,+ø¯¨Á ø1DIB%-12345X@PJL EOJ NAME="Microsoft Word - tr-00-13.doc"
%-12345X