Log In

Safety Hazard Management: The Role of Requirements in Safety-Critical Systems

Every safety-critical system depends on requirements that are traceable, verifiable, and complete. This guide covers how safety requirements are identified, specified, and verified — from hazard analysis through to safety case closure. Whether you are working in defence, rail, energy, automotive, or medical devices, the principles are the same.

In this guide

  1. What Are Safety Requirements?
  2. How Safety Requirements Fit Within Systems Engineering
  3. Safety Hazard Identification Methods
  4. The Safety Lifecycle
  5. Building a Safety Case
  6. Safety Requirements Verification and Acceptance
  7. Managing Safety Risk: Assumptions, Constraints, and Dependencies
  8. Safety Standards Across Industries
  9. The Hierarchy of Controls
  10. Why Requirements Management Is Foundational to Safety

1. What Are Safety Requirements?

Safety requirements are a specific category of system requirements whose purpose is to mitigate or eliminate identified hazards. They do not exist in isolation — every safety requirement traces back to a hazard that has been identified through structured analysis.

There are two distinct types of safety requirements:

  • Safety functional requirements define what the system must do to achieve or maintain a safe state. For example: "The braking system shall bring the vehicle to a complete stop within 50 metres from 100 km/h on a dry surface."
  • Safety integrity requirements define how reliably the safety function must perform. This is expressed as a Safety Integrity Level (SIL) in IEC 61508, an Automotive Safety Integrity Level (ASIL) in ISO 26262, or a Design Assurance Level (DAL) in DO-178C. The integrity level determines the rigour of the development and verification process.

The hierarchy of safety requirements typically follows this structure:

  1. Stakeholder needs and legislation — regulatory obligations, operational safety targets, and duty-of-care requirements.
  2. System safety requirements — derived from hazard analysis, specifying what the system must do (or must not do) to be acceptably safe.
  3. Allocated safety requirements — system safety requirements allocated to specific subsystems: hardware, software, or operational procedures.
  4. Detailed design requirements — implementation-level specifications that satisfy the allocated safety requirements.

Key principle: Safety requirements are always derived from hazard analysis. A safety requirement without a traceable link to an identified hazard has no justification. Conversely, a hazard without a corresponding safety requirement has no mitigation. Read more about what makes a requirement a safety requirement.

2. How Safety Requirements Fit Within Systems Engineering

Safety requirements sit within the broader systems engineering framework. They are not a separate activity — they are integrated into the requirements engineering process at every stage of the V-model.

The relationship follows a clear sequence:

  1. Concept of operations — defines how the system will be used, including the operating environment, user interactions, and foreseeable misuse scenarios.
  2. Hazard identification — structured analysis (HAZOP, FMEA, FTA, etc.) identifies what can go wrong and the potential consequences.
  3. Safety requirements specification — hazards are addressed through safety requirements that are added to the system requirements specification. The safety requirements specification (SRS) is a subset of the overall system requirements.
  4. Allocation — safety requirements are allocated to hardware, software, or operational procedures, depending on the system architecture.
  5. Design and implementation — the design team implements solutions that satisfy the allocated safety requirements.
  6. Verification — each safety requirement is verified through test, analysis, demonstration, or inspection.
  7. Safety case — the evidence is assembled into a structured argument demonstrating that the system is acceptably safe.

At every stage, traceability is mandatory. The thread from hazard through to verification evidence must be unbroken. This is what safety authorities and independent assessors examine during review.

Learn more: For the full requirements engineering framework including the V-model, decomposition, and verification methods, see our requirements engineering framework guide. For a broader view of systems engineering, read our systems engineering overview.

3. Safety Hazard Identification Methods

Hazard identification is the process of systematically discovering what can go wrong with a system and what the consequences would be. Each method produces outputs — hazard scenarios, failure modes, fault paths — that must be translated into traceable safety requirements.

No single method captures all hazards. Most safety-critical programmes use a combination of techniques at different stages of the lifecycle.

Preliminary Hazard Analysis (PHA)

Top-down | Concept stage | Defence, Rail, General

A first-pass identification of hazards, typically performed at concept or early design stage. Each hazard is rated for severity and likelihood using a risk matrix. Produces an initial hazard list that drives further analysis. Required by MIL-STD-882E (Tasks 201/202) for defence programmes.

HAZOP (Hazard and Operability Study)

Guide-word | Detailed design | Process, Nuclear, Chemical

A systematic technique that examines deviations from design intent at each process node using guide words (no flow, more pressure, reverse, etc.). Each deviation is assessed for causes, consequences, and existing safeguards. Predominant in chemical, pharmaceutical, oil and gas, and nuclear industries. Generates specific safety requirements for controls and alarms.

FMEA (Failure Modes and Effects Analysis)

Bottom-up | Component level | Automotive, Aerospace, Medical

Starts at the component level, identifying each possible failure mode and its effect on the system. Each mode is rated for severity, occurrence, and detectability to produce a Risk Priority Number (RPN). Mandated by ISO 26262 as input to the Hazard Analysis and Risk Assessment (HARA). Directly produces requirements for design changes, redundancy, or monitoring.

FTA (Fault Tree Analysis)

Top-down | Quantitative | Aerospace, Nuclear, Defence

Starts with an undesired top event (e.g., "loss of braking") and traces causes downward through AND/OR logic gates. Quantitative — calculates the probability of the top event from component failure rates. Identifies single points of failure and common-cause failures. Produces requirements for redundancy, diversity, or independence.

HAZID (Hazard Identification)

Workshop-based | Early stage | Oil & Gas, Process

A structured brainstorming technique, typically facilitated in workshops with a multi-disciplinary team. Less formal than HAZOP but broader in scope — used to capture hazards across all project phases including construction, commissioning, operation, and decommissioning. Produces an initial hazard register for further analysis.

Bow-Tie Analysis

Visual | Communication | All industries

Combines fault tree analysis (threats on the left) with event tree analysis (consequences on the right). The central "knot" is the top event. Prevention barriers sit on the left; mitigation barriers on the right. Each barrier maps to one or more safety requirements. Excellent for communicating risk structure to non-specialists and for visualising defence-in-depth.

Key principle: Every output from hazard analysis — whether a HAZOP action, an FMEA recommended change, or an FTA cut-set — must be captured as a traceable requirement. If a hazard analysis finding does not result in a requirement, it has not been addressed. Learn about hazard logs and how they track these outputs.

4. The Safety Lifecycle

IEC 61508 established the concept of the safety lifecycle — a structured sequence of phases that governs the development, operation, and decommissioning of safety-related systems. The fundamental principle is that safety must be managed throughout the entire lifecycle, not added as an afterthought.

The safety lifecycle includes three interrelated sub-lifecycles:

  • Overall safety lifecycle — from concept through hazard analysis, requirements, design, installation, validation, operation, modification, and decommissioning.
  • E/E/PE system safety lifecycle — covers the development of electrical, electronic, and programmable electronic systems that implement safety functions.
  • Software safety lifecycle — covers the development of software within safety-related systems, with rigour determined by the Safety Integrity Level.
1 Concept & Scope
2 Hazard & Risk Analysis
3 Safety Requirements
4 Allocation
5 Design & Build
6 Verification
7 Validation
8 Operation & Maintenance

Safety Integrity Levels (SIL)

IEC 61508 defines four Safety Integrity Levels (SIL 1 through SIL 4), where SIL 4 represents the highest integrity and the most stringent development and verification requirements. The SIL determines:

  • The rigour of the requirements specification process
  • The verification methods required (e.g., formal methods may be mandatory at SIL 3-4)
  • The level of independence required for verification and validation
  • The degree of documentation and traceability evidence

IEC 61508 mandates bidirectional traceability throughout the safety lifecycle — backward traceability (every implementation decision justified by a requirement) and forward traceability (every requirement has corresponding verification evidence).

Learn more: For a detailed explanation of Safety Integrity Levels and how to determine the right SIL for a safety function, see our article on Safety Integrity Levels.

5. Building a Safety Case

A safety case is a structured argument, supported by evidence, that a system is acceptably safe for its intended use in its intended environment. It is the document that brings together hazard analysis, safety requirements, verification evidence, and risk acceptance decisions into a single coherent argument.

There are two broad approaches to constructing a safety case:

Prescriptive approach

Safety is demonstrated by showing compliance with a prescribed standard. The standard defines what must be done — the developer follows the rules and provides evidence of compliance. This approach is common in:

  • Aviation — DO-178C defines objectives that must be met at each Design Assurance Level. Compliance with the objectives constitutes the safety argument.
  • Automotive — ISO 26262 prescribes a safety lifecycle with specific work products and methods required at each ASIL.

Goal-based approach

The developer constructs their own argument for why the system is safe, rather than following a checklist. The argument is structured using techniques such as Goal Structuring Notation (GSN), which breaks the top-level safety claim into sub-goals, strategies, and evidence. This approach is common in:

  • UK rail — EN 50129 requires a safety case built around a structured argument, assessed by an Independent Safety Assessor (ISA).
  • UK nuclear — operators must present a safety case demonstrating acceptable risk, based on the ALARP (As Low As Reasonably Practicable) principle.
  • UK offshore oil and gas — the Safety Case Regulations (post-Piper Alpha disaster) require operators to construct a safety case for each installation.

Key principle: Regardless of approach, the safety case is only as strong as the traceability chain underneath it. If you cannot trace from a hazard to its safety requirements, through to design decisions, and on to verification evidence — the safety case has a gap. See our guide on requirements traceability.

6. Safety Requirements Verification and Acceptance

Every safety requirement must be verified — that is, proven through objective evidence to have been met. The four recognised verification methods (IADT) apply to safety requirements just as they do to all system requirements:

  • Inspection — visual examination of a work product. Used for physical characteristics, labelling, wiring, and documentation completeness.
  • Analysis — mathematical models, simulations, or analytical calculations. Used when physical testing is impractical (e.g., structural integrity under extreme loads, MTBF predictions).
  • Demonstration — operating the system to show it works as required, without detailed measurement. Used for functional capabilities visible to the observer.
  • Test — exercising the system under controlled conditions with measured results compared to acceptance criteria. The most rigorous method, used when quantitative evidence is required.

Independent verification

Safety-critical systems typically require independent verification — the verification must be performed or reviewed by a person or organisation independent of the development team. The level of independence depends on the Safety Integrity Level:

  • SIL 1-2: Verification may be performed by a different person within the same team.
  • SIL 3-4: Verification should be performed by an independent department or an external organisation.

Key roles in safety verification include the Independent Safety Assessor (ISA) in rail, the Designated Engineering Representative (DER) in aviation, and the Notified Body in medical devices under the EU MDR.

Acceptance criteria

Every safety requirement must have measurable, unambiguous acceptance criteria defined during requirements analysis — not left until the test phase. A requirement like "the system shall be safe" is not verifiable. A requirement like "the emergency stop shall halt all moving parts within 0.5 seconds of activation" has clear acceptance criteria that can be tested.

Learn more: For guidance on writing verifiable requirements with clear acceptance criteria, see our guide on how to write good requirements and the verification vs validation section.

7. Managing Safety Risk: Assumptions, Constraints, and Dependencies

Safety risk does not sit only in identified hazards. A significant portion of residual risk lives in the assumptions, constraints, and dependencies (ACDs) that underpin the safety argument. Open ACDs represent unresolved safety risk — and must be actively managed throughout the project lifecycle.

Assumptions

An assumption is a factor believed to be true but not yet confirmed. In a safety context, assumptions are particularly dangerous because safety requirements derived under a false assumption may be invalid.

Example: "The operating environment temperature will not exceed 50°C." If this assumption is later found to be false, every safety requirement derived under it must be reassessed. Material properties, cooling system capacity, and sensor accuracy may all be affected.

Constraints

A constraint is an imposed limitation on the design or implementation. In safety, constraints may prevent the use of preferred hazard controls, forcing reliance on lower-tier controls in the hierarchy.

Example: "Existing track geometry cannot be modified." This constraint may prevent elimination of a hazard through redesign, requiring engineering controls or operational procedures instead — a less effective mitigation that must be justified in the safety case.

Dependencies

A dependency is a reliance on another party, system, or condition. In safety, an unmet dependency means a safety function may not work as intended.

Example: "The signalling system depends on the telecommunications provider's network availability of 99.99%." If the dependency is not met, the safety function fails. Each dependency should generate a safety requirement on the interface — and should be tracked to closure.

Key principle: ACDs form part of the safety case and must be tracked, reported, and closed. An open assumption is an unvalidated basis for a safety claim. An unmet dependency is an unmitigated risk. Learn about ACD registers in requirements management.

8. Safety Standards Across Industries

Different industries have developed their own safety standards, but most are derived from or aligned with IEC 61508 as the foundational standard for functional safety. Each standard defines how safety requirements must be identified, specified, and verified — with varying levels of rigour depending on the safety classification.

Standard Industry Safety Classification Key Requirements Concept
IEC 61508 General / Industrial SIL 1–4 The foundational functional safety standard. Defines the safety lifecycle, mandates bidirectional traceability, and requires a safety requirements specification (SRS). All sector-specific standards below derive from or align with IEC 61508.
MIL-STD-882E Defence Severity (Catastrophic to Negligible) × Probability (Frequent to Improbable) Seven-step system safety process with a hazard tracking system. Defines a precedence of controls mirroring the hierarchy of controls. Requires hazard analysis throughout the system lifecycle.
EN 50126 / 50128 / 50129 Railway SIL 0–4 The CENELEC suite covers RAMS (Reliability, Availability, Maintainability, Safety). EN 50126 defines the RAMS lifecycle; EN 50128 covers software; EN 50129 requires a goal-based safety case with independent assessment. Read about RAMS and safety.
ISO 26262 Automotive ASIL A–D Defines a complete functional safety lifecycle for road vehicles. Requires Hazard Analysis and Risk Assessment (HARA), safety goals, a functional safety concept, and technical safety requirements allocated across hardware and software.
DO-178C Aviation DAL A–E Objectives-based standard for airborne software. Defines objectives for planning, development, and verification at each Design Assurance Level. Compliance with objectives constitutes the safety argument.
ISO 14971 Medical Devices Risk acceptability matrix Defines the risk management process for medical devices: risk analysis, risk evaluation, risk control, and residual risk assessment. Works alongside IEC 62304 (software lifecycle) and ISO 13485 (quality management).

Industry detail: For specific statistics and challenges across these industries — including defence, rail, energy, healthcare, automotive, and more — see our About page with industry-specific data.

9. The Hierarchy of Controls

The hierarchy of controls is a framework for selecting hazard mitigation measures in order of effectiveness. The most effective controls eliminate the hazard entirely; the least effective rely on human behaviour. MIL-STD-882E's "system safety design order of precedence" mirrors this hierarchy.

The key insight for requirements engineers: each control measure must be expressed as a verifiable safety requirement. The hierarchy tells you what kind of control to prefer; requirements engineering tells you how to specify and verify that control.

  • 1. Elimination — Remove the hazard entirely Example requirement: "The system shall not use mercury-based components in any assembly."
  • 2. Substitution — Replace with something less hazardous Example requirement: "The system shall use water-based coolant in place of glycol-based coolant in all operator-accessible circuits."
  • 3. Engineering Controls — Isolate people from the hazard Example requirement: "The system shall include a physical guard preventing operator access to moving parts during operation. The guard shall be interlocked such that the machine cannot operate when the guard is open."
  • 4. Administrative Controls — Change the way people work Example requirement: "The operating procedure shall require lockout/tagout before any maintenance activity on the drive system."
  • 5. PPE — Protect the individual (least effective) Example requirement: "The operator shall wear heat-resistant gloves rated to 250°C when performing manual valve operations on the steam circuit."

Key principle: If your safety case relies primarily on administrative controls or PPE, you must justify in the safety case why higher-level controls were not reasonably practicable. Auditors and safety assessors will challenge the choice. The requirement — and the justification — must be documented and traceable.

10. Why Requirements Management Is Foundational to Safety

Every concept covered in this guide — hazard identification, the safety lifecycle, safety cases, verification, ACDs, and the hierarchy of controls — depends on the same thing: traceable, verifiable, managed requirements.

  • Every hazard identification method produces outputs that must become traceable safety requirements.
  • The safety lifecycle mandates bidirectional traceability from hazard through to verification evidence.
  • The safety case is an argument built on evidence — and that evidence is structured around requirements and their verification.
  • Assumptions, constraints, and dependencies are risk items that attach to requirements and must be tracked to closure.
  • Regulatory audits and independent safety assessments depend on being able to follow the unbroken thread from hazard to requirement to evidence.

Reqi provides the requirements management infrastructure that supports this. It is not a safety tool — it is the foundational layer that makes safety requirements traceable, compliance visible, and risk items auditable across your supply chain. Learn how Reqi works across regulated industries.

See It in Action

Watch how safety hazards are identified and managed within a requirements management workflow.

Start Managing Safety Requirements

Create a free project and see how Reqi brings traceability and compliance visibility to safety-critical requirements across your supply chain.

Get Started Free