Abstract
Safety cases embody arguments that demonstrate how safety properties of a system are upheld. Such cases implicitly document the barriers that must exist between hazards and vulnerable components of a system. For safety certification, it is the analysis of these barriers that provide confidence in the safety of the system. The explicit representation of hazard barriers can provide additional insight for the design and evaluation of system safety. They can be identified in a hazard analysis to allow analysts to reflect on particular design choices. Barrier existence in a live system can be mapped to abstract barrier representations to provide both verification of barrier existence and a basis for quantitative measures between the predicted barrier behaviour and performance of the actual barrier. This paper explores the first stage of this process, the binding between explicit mitigation arguments in hazard analysis and the barrier concept. Examples from the domains of computer-assisted detection in mammography and free route airspace feasibility are examined and the implications for system certification are considered. © Springer-Verlag 2004.

Abstract
The paper describes the current regulatory situation in England with respect to medical devices and healthcare providers. Trusts already produce evidence to the Healthcare Commission that they operate in accordance with standards set out by the Department of Health and the NHS, The paper illustrates how the adoption of an explicit goal-based argument could facilitate the identification and assessment of secondary implications of proposed changes. The NHS is undergoing major changes in accordance with its 10-year modernisation plan. These changes cannot be confined to the Trust level, but will have NHS-wide implications. The paper explores the possibility of an organisational safety case, which could be a useful tool in the management of such fundamental changes. © Springer-Verlag Berlin Heidelberg 2006.

Abstract
Ubiquitous computing requires a multitude of devices to have access to the same services. Abstract specifications of user interfaces are designed to separate the definition of a user interface from that of the underlying service. This paper proposes the incorporation of interaction style into this type of specification. By selecting an appropriate interaction style, an interface can be better matched to the device being used. Specifications that are based upon three different styles have been developed, together with a prototype Style-Based Interaction System (SIS) that utilises these specifications to provide concrete user interfaces for a device. An example weather query service is described, including specifications of user interfaces for this service that use the three different styles as well as example concrete user interfaces that SIS can produce. © IFIP International Federation for Information Processing 2005.

Abstract
Formal methods have been used to develop a prototype interactive editing system, in which different edits are viewed through separate windows. Designing the prototype has involved the development of a simple window management system. The design of the window manager was achieved with the assistance of an initial description using an abstract model of interaction. We argue that abstract interaction models clarify certain design issues. We discuss more complex properties of windowing systems including separability, sharing and interference. We formulate some simple generative user-engineering principles to support these properties.

Abstract
User-centered design imposes constraints on the programmer-centered approach to program development. In this paper we describe a practical experiment using a three level design approach which incorporates at its top level an abstract model of interaction. The interaction model is used as the basis for proof that user-centred design principles hold for the system design. We also discuss refinement methods which achieve certain structural optimisations through the technique of 'interface drift'. A real system has been produced by these methods and is being used as a basis for test of alternative empirical evaluation techniques.

Abstract
This paper investigates the nature of hazard analysis reuse over two case studies. Initially reuse in an existing safety argument is described. Argument structures within the hazard analysis are identified and the amount of verbatim reuse examined. A second study is concerned with how reuse changes as a result of tool support. In contrast to the first case, the defined arguments are more diverse - reuse has occurred but is less verbatim in nature. Tool supported argument adaptation has aided the customisation of the reused arguments. © Springer-Verlag Berlin Heidelberg 2003.