thank you sponsors, exhiBitors, & partners! Corporate sponsor Sikorsky Aircraft Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Gold sponsors A-P-T Research, Inc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Boeing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Lockheed Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Lockheed Martin Aeronautics Company . . . . . . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
silver sponsors Atlantic Software Technologies, Inc . . . . . . . . . . . . . . . . . . . . . . 29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Bastion Technologies, Inc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Isograph, Inc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 University of Maryland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
exhibitors Advanced Logistics Development . . . . . . . . . . . . . . . . . . . . . . . . 39 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Board of Certified Safety Professionals . . . . . . . . . . . . . . . . . . . 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Electric Power Research Institute . . . . . . . . . . . . . . . . . . . . . . . 44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 International System Safety Society . . . . . . . . . . . . . . . . . . . . . 51 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 MathWorks, Inc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
partner The Institute of Engineering and Technology
Advertisement Page Booth Location
System Safety Society • P.O. Box 70, Unionville, VA 22567-0070 USA • www.system-safety.org
Cover images courtesy of Greater Boston Convention & Visitors Bureau. Designed and published by A-P-T Research, Inc. Publications.
12131415 11 10
4321 5 6
7 8 9
Paper Presentations• Tutorials• Panel Discussions• Just In Time Sessions•
THINGs TO DO IN BOsTON
Freedom Trail, Fenway Park, New England Aquarium,
Museum of Science, Boston Common, Paul Revere
House, Samuel Adams Brewery, Museum of Fine Arts,
Boston Harbor Islands, Faneuil Hall Marketplace
ProgramIS SC
20 13
EN C
Opening Ceremony/General Meeting/LunchesRegistration Reception/Exhibitor Area
ATRIUM AREA
RESTAURANT
SIMMONS BOSTON UNIV.
BALLROOM FOYER
Organizing COmmittee
COntents General Information ..................................................................................................................................................... 2 Greetings ........................................................................................................................................................................ 5 Speakers ........................................................................................................................................................................ 10 Schedule ....................................................................................................................................................................... 12 Tutorials ....................................................................................................................................................................... 21 Panel Discussions/Forums ......................................................................................................................................... 26 Workshops .................................................................................................................................................................... 26 Paper Presentations .................................................................................................................................................... 30 Special Functions ........................................................................................................................................................ 50 About the System Safety Society .............................................................................................................................. 52
Conference Chair Pam Alte
Sponsor/Exhibitor Chair Lindsey Eirich
International Chair Bob Fletcher
Financial Chair Cathy Carter
Off-Site Events Alan Oliver
The following volunteers contributed to the success of the conference.
Pam Alte, 31th ISSC Chair
2
general infOrmatiOn registration Desk: All 31st ISSC attendees, including sponsors and exhibitors, must register at the registration desk located on the 4th Floor. Registered attendees will receive badges, which should be displayed while in any ISSC area (including luncheons). Once a badge is issued it is the responsibility of the registrant to ensure that it is not lost. Sponsors may change the names on their badges as often as they want, but the old one must be turned in to receive a new name.
special events: Spouses or exhibitors may purchase tickets for luncheons or the off-site event at the registration desk up to 24hrs prior to the event. Tickets for the Wednesday night off-site event at the Museum of Science will be $90.00 for adults or $55.00 for children. Tickets to the luncheons on Tuesday, Wednesday, and Thursday are $45.00/lunch for any attendee. Spouses and guests are welcome to attend the Tuesday evening Sponsors and Exhibitor social free of charge.
internet: Internet will not be provided in the conference locations. However, should you require internet access during the conference, there is complimentary wireless available in the lobby and other public areas. There are also internet options available to each guest in their room.
transportation: The Marriott Copley Place is located 3.2 miles away from the airport. The subway cost (one way) is $2.50, and the estimated taxi cost is $35.00. While rental cars are
available, parking costs in Boston tend to be pricey. Alternative means of getting around include taxis, the subway, or walking.
tutorial Program & CeUs: The conference includes several information-packed tutorials in addition to the papers being presented. Attending tutorials, along with other elements of the Technical Program at the 31st ISSC, meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP). Continuing Education Units (CEUs) will be issued for participation in the Conference tutorials. You must be present for the entire tutorial in order to be granted the CEUs. Attendance will be taken at the start of the tutorial, after each break, and you must be present at the end to collect your certificate. CEUs are issued on the basis of 0.1 CEU per instructional contact hour.
Dress Code: We want you to feel comfortable while you are attending the 31st ISSC, so we advise ‘business casual’ attire. The awards ceremony, which is a part of the Thursday luncheon, is a time when many attendees will dress in more formal business attire. The Tuesday night Sponsor and Exhibitor social and the Wednesday night off-site event are also business casual dress.
Daily news: The ISSC Daily News will be available at 7:30 each morning, both at the registration desk, and in the Sponsor/Exhibitor area. This will announce any room changes, schedule changes, or other information pertinent to the
proceedings of the conference.
spousal Program: There are no tours provided by the ISSC for spouses this year. However there is an information session to be held on Monday. Brochures will be made available, along with maps and ideas of attractions to visit. If a spouse is unable to make this information session, the hotel concierges can answer questions about local attractions, how to use the subway, available tours, or dining suggestions.
Wednesday night Off-site event: Bus transportation will leave the Marriott Copley Place starting at 6:00pm and bring attendees to the Museum of Science. The ISSC will have the Blue Wing reserved from 6:30pm to 10:30pm, and will receive a private lightning demonstration in the Theater of Electricity, buffet dinner, and a cash bar. Spousal/guest tickets can be bought at the registration desk up until 24 hours before, however to ensure a smoothly- run event we encourage you to purchase extra tickets when you register. This is sure to be an event you won’t want to miss!
Program ISSC2013
3
Safety is paramount. That’s why at Lockheed Martin, safety is designed into everything we do. Our system safety engineers follow proven government
and industry standards, plans, processes and lessons learned to build the world’s most safe, supportable and technologically advanced aircraft.
Lockheed Martin is proud to sponsor this year’s International System Safety Conference and applaud their mission to ensure system safety for the long run.
www.lockheedmartin.com
© 2
5
greetings From the Society PreSident As the newly elected Society President, I want to welcome you to the 31st International System Safety Conference. I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field. What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems. I love the challenge, and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems. We as System Safety Professionals have the unique privilege of impacting our society in such a positive way.
This year marks the Golden Anniversary of our society and we trust this year’s conference will live up to your expectations. We have come a long way since the early days of this society. Technology has transitioned from vacuum tubes to liquid crystal displays, launching unmanned satellites to commercial space flights, computers the size of a room to tablets with more and more capability daily. Some of our founding members will be in attendance at this conference and they will be participating in our opening session. I know I am looking forward to hearing from them and their unique challenges.
I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society. The impact of new technology on society, and the motivation to trust more of our safety critical applications to the latest in today’s innovations creates ever steeper challenges for us. This conference helps us to meet the challenge. We have outstanding technical sessions, world leading safety professionals in attendance, opportunities to network, and opportunities to find solutions to our every day safety dilemmas.
Our Conference Chair, Pam Alte, and her team have done an outstanding job in putting together this conference. We have a number of interesting technical tracks at this conference. Our speakers include some of the biggest names in the field. Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place.
So thank you for coming to this conference. I hope you are looking forward to the opportunities we have in the coming week as much as I am.
Robert A. Schmedake President, System Safety Society
6
System Safety Engineering & Analysis
Phone: 256.327.3373 Fax: 256.837.7786 www.apt-research.com
Founded in 1990, APT (Analysis, Planning, Test) is an employee-owned, small business located in Cummings Research Park near Redstone Arsenal in Huntsville, Alabama. Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction.
Photo: Missile Defense Agency
7
greetings From the chaPter PreSident Here ye, here ye, welcome to Boston for the 31st International System Safety Conference! Boston is the largest city in New England and one of the oldest in the United States. No hiding in your hotel – get out and enjoy the city’s history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party. For fun and entertainment, visit the Samuel Adams brewery and Bull & Finch pub (from Cheers!). We are all Red Sox fans this week, so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings. Boston has a red brick trail through the city that leads you past many of the historical locations – it’s called the Freedom Trail. Walking this path brings you from the Boston Common past locations including Granary Burying Ground, Boston Massacre site, Faneuil Hall, Paul Revere’s house, Old North Church, and then across the Charles River to the Bunker Hill Monument and USS Constitution!
The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this year’s Conference Chair, Pam Alte. If you run into Pam, make sure you stop and thank her for the volunteer hours and effort she has poured into this conference. The economy is providing challenges to pull together a successful conference, but Pam with the EC’s support has been more than up to the task.
“Safety For The Long Run” is such a poignant theme for this year’s Boston conference, with the Boston Marathon bombings bringing safety to the forefront. Other recent events, such as aviation, train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives. For the conference, we are all challenged to learn something new. I ask that all attendees stay engaged with the conference papers and presentations, and to promote the system safety discipline.
Scott Beecher President Northeast Chapter System Safety Society
8
multiple missions. It’s dependable and durable,
and I have complete confidence in its proven per-
formance. Sikorsky not only sets the standard for
rotorcraft excellence and safety, they exceed it.
It’s evident in everything from the reliable per-
formance of my BLACK HAWK to the way they
support me in the field. There’s simply no better
helicopter for any requirement, whether it’s utility,
combat search and rescue, or firefighting. The way
I see it, not every pilot gets to fly in a helicopter
this good. But they should.
Sikorsky.
9
greetings From the conFerence chair On behalf of the entire ISSC planning committee, I would like to extend a warm welcome to you. We have worked hard to make this conference a world-class success. Whether this is your first visit to Boston, or you have been here before, I hope you get a chance to relax and enjoy our beautiful New England city. Boston has something for everyone, from historical sites, to exciting downtown locations, sports arenas, and fabulous shopping. Our off-site event will be held in the Museum of Science, complete with Wolfgang Puck catering, and our own private Lightning Show.
The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together, network and learn from each other. Unfortunately, the US budget sequestration restricted travel for Government workers so our numbers are down this year. I would like to assure all attendees that although this year’s conference will be smaller than previous years, the standards to which we held our papers and tutorials were not lowered. You can expect top notch presentations.
The theme for this year’s conference, Safety for the Long Run, picks up on a number of parallels between the types of things one might do to prepare for a marathon race, and elements of an effective system safety program. These include the importance of proper training, having a well thought out plan, getting off to a good start, avoiding obstacles and distractions, and keeping enough in reserve for a successful sprint to the finish. I think you will agree that this year’s conference will help prepare you well.
One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Society’s “grey beards.” We will have several student members in attendance, and I hope you will join me in making them feel welcome. I am also pleased to announce this year we will have a new track: lifecycle safety. These papers will discuss system safety as it moves past the development stage, which is where the majority of our previous discussions have stopped. In addition to our many papers and tutorials being offered, there is the potential for “Just in Time” sessions to be held. A board for suggesting topics you would like to have added to discussions will be located at the registration desk, or you can coordinate with Norm Gauthier, one of our Technical Co-Chairs.
We wish you an enjoyable and enlightening conference experience. Should there be anything you require to make your conference experience better, please don’t hesitate to reach out to me, Cliff Parizo, or any of the other Conference Committee volunteers.
Again, enjoy your visit and thank you for your support by being here. I would also like to send a big thank you to those who helped plan this conference, our sponsors & exhibitors, and especially to Sikorsky Aircraft for partnering with us to make this conference a reality.
Sincerely, Pam Alte 31st ISSC Conference Chair
10
sPeakers rex B. Gordon, mPh, Pe, cSP; Fellow member emeritus, opening ceremonies 50th celebration Speaker
Rex Gordon is a 50 year Charter Member, and current Historian of the System Safety Society. He is a past President and Editor of the Journal. He served as Chairman of the 2nd ISSC, and both the Northeast and Southern California Chapters. He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP). He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee. He has co-authored two text books, and over 15 published papers. He has lectured at the George Washington University, and USC. He has represented the Society at functions held in the White House, the Pentagon, in Germany, Holland, and Paris.
His is retired after 40 years of employment as a System Safety Engineering Specialist, Manager, and Consultant. He currently lives with his wife of 61 years in Fallbrook, CA.
James P. Keller, Jr., m.S., ecri institute, Keynote Speaker As Vice President, Health Technology Evaluation and Safety, James Keller directs ECRI Institute’s internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices. The program was referred to by the New York Times as the “country’s most respected laboratory for testing of medical products.” He serves as a member of ECRI Institute’s Executive Committee, which is responsible for overall governance of ECRI Institute operations.
Mr. Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls; Alerts Tracker, a web-based tool for managing hazards and recalls of medical products; Biomedical Benchmark, a resource to help hospitals manage their medical equipment service activities; an annual series of interactive webinars on health technology issues; and the International Medical Device Problem Reporting System.
Mr. Keller is a recognized expert and frequently invited speaker on a wide range of health technology- related topics including patient safety, equipment management, strategic planning and forecasting, device utilization, nomenclature and asset management, and the convergence of medical devices and information systems. He is a regular contributor to ECRI Institute’s Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns.
Mr. Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation. He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts.
Program ISSC2013
dr. nancy Leveson, massachusetts institute of technology, Sponsor & exhibitor Luncheon Speaker
Dr. Leveson holds a Ph.D. from UCLA. She was a Computer Science professor at the University of California, then became Boeing Professor of Computer Science and Engineering at the University of Washington.
Professor Leveson’s research focuses on topics related to the design of complex systems containing software, hardware, and human components. Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior, particularly safety. Current research topics include model-based system and software engineering, system and software safety, software requirements specification and analysis, human-computer interaction, reusable component-based system architectures, interactive visualization, human-centered system design, and comprehensive approaches to risk management that include the organizational, political, managerial, and social aspects of system construction and operation. New work is starting in
security. Current applications include space, aircraft, autos, rail systems, nuclear power, medical devices, hospital safety, defense systems, and others.
dr. John mcdermid, the University of york, U.K., international Luncheon Speaker Professor John A. McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group. Also, he was Head of the Department of Computer Science from 2006 to 2012. The HISE research group studies a broad range of issues mainly in systems, software and safety engineering, and works closely with the UK aerospace industry, but has worked in a number of domains including automotive, medical and railways.
In 2010, he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU), and now runs a collaborative research programme in railway safety with BJTU, known as the Railway Safety Technology Research Centre (RSTRC). He has extensive experience as a consultant, including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4. He is a member of the UK Defence Scientific Advisory Council. He is author or editor of six books, and has published approximately 360 papers.
12
sCheDUle monday, 12 aUGUSt 4th Floor: 8:00 - 5:00 Registration Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 - 5:00 Presenter Prep
Salons A-E Berkley Clarendon 8:00 - 8:50
Hazard Analysis (Barondes)
Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Wind, Schedl, Floetzer
Ground Transportation (Millin)
Achieving Safety Confidence of a Large Scale System Product and its Applications Shi
9:00 - 9:50
Identification of Safety Critical System, Hardware, and Software Requirements Using Fault Trees Rainey
Failure Logic Automata for Future Oriented Safety Assessment of Train Control System Zhou, Zhao
10:30 - 11:20
The Role of Architectural Model Checking in Conducting Preliminary Safety Assessment Jaradat, Graydon, Bate
Are We Ready for Driverless Cars? West
Lunch Break, Salons A-E
Opening Ceremonies/ General Session
Opening Ceremonies 50th Celebration Speaker: Rex B. Gordon, MPH, PE, CSP; Fellow Member Emeritus Keynote Speaker: James P. Keller, Jr. M.S. ECRI Institute
2:30 - 3:20
4:00 - 4:50
Program ISSC2013
Tutorial
Hands-On System Safety Basics, Focused On FHA Winkelbauer, Schedl (3 hrs)
Tutorial
Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)
Committee & Group Meetings
14
sCheDUle tUeSday, 13 aUGUSt 4th Floor: 8:00 - 5:00 Registration Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 - 5:00 Presenter Prep
Arlington Berkley Clarendon Dartmouth 8:00 - 8:50
Tutorial
A Tutorial on STPA : A New, More Powerful Hazard Analysis Technique Leveson, Thomas (6 hrs)
Hazard/Risk Management (Parizo)
Workplace Safety (Kondreck)
Thermal Protection and Thermal Comfort: An Evaluation of the Fabrics Used in Chef’s Uniforms Against Thermal Hazards in the Kitchen Zhang, Batcheller, McQueen
Open Forum (Fletcher)
9:00 - 9:50
National Aerospace Standard 411 Update Sheehan
A Roadmap for Future Noise Control in Acquisition: Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise Sources Fischer, Yankaskas, Page
10:30 - 11:20
System Safety Design for Safe Operation of Radars Bartos
Sponsor & Exhibitor Luncheon, Salons A-E, Guest Speaker: Dr. Nancy Leveson, Massachusetts Institute of Technology Menu: New England Clam Chowder, Grilled Sirloin, Shiitake Mushroom Risotto, Seasonal Vegetables, Port Wine Reduction Key Lime Tart, in a Hazelnut Crust, Blackberry Pate de Fruit 1:30 - 2:20
Tutorial (continued)
Dependability Techniques Applied to Space Software - A Research Project Report Lahoz, Abdala
Aerospace Safety (Kraemer)
Systems-Based Approach to Flight Safety Management in Airlines Chi, Xu, Qi, Shao
Software Safety (Schmedake)
Safety and/vs. Security: Towards a System Engineering Approach for Trust? Schoitsch
2:30 - 3:20
The Principles of Software Safety Assurance Hawkins, Habli, Kelly
Use of Master Minimum Equipment List (MMEL) To Ensure Safe Dispatch Durmaz
Anatomy of a Safety Critical Software Function Church
4:00 - 4:50
Formal Modelling in the Development of Dependable Systems Troubitsyna
Safety Culture: An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in Aeronautics Campbell
Software Risk: The Third Rail of Safety Analysis Hildreth, Elcock
6:30 - 8:30
Program ISSC2013
Tutorial
Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)
Tutorial
Practical Generation of Safety Cases With the Help of GSN Gerstinger, Schedl (3 hrs)
Committee & Group Meetings
Workshop
Application of System Safety Methods to Systems of Systems Joyce, Debouk, Vergara (3 hrs)
Workshop
Advancing Safety By Reducing Errors: A Fresh Approach Autrey (3 hrs)
Tutorial
Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)
Committee & Group Meetings (continued)
16
sCheDUle WedneSday, 14 aUGUSt 4th Floor: 8:00 - 5:00 Registration Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 - 5:00 Presenter Prep
Arlington Berkley Clarendon Dartmouth 8:00 - 8:50
Human Factors (Robins)
Public Safety (Fletcher)
The Study on the Accident Causation Rule of Macroscopic Accidents in China Zeng, Luo, Tian
Lifecycle Safety (Swallom)
Exxon Valdez: Human Error, Plain and Simple Barondes
Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a Megacity Zheleznov
Development of a System Safety Case for Automotive Electric/Electronic Systems Sundaram, Hartfelder
10:30 - 11:20
Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion Systems Vernacchia, Green, Llaneras
Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population Transportation Smirnov, Yurkov, Syagin, Koshina
Utilizing Error Prevention Event Collection Documents to Augment Error Prevention Processes Laabs, Allison, Russell
International Luncheon, Salons A-E, Guest Speaker: Dr. John McDermid, The University of York, UK Menu: Asian Inspired Salad, Teriyaki Chicken, Coconut Rice, Seared Bok Choy, Triple Chocolate Tower: White, Dark, and Milk Chocolate Mousse Towering atop Devil’s Food Cake, Ganache, and Berry Sauce 1:30 - 2:20
Workshop
Safety Topics (Gauthier)
Introducing Safety Assurance Influenced Design of Health IT Systems Despotou, Luckcuck, Kelly, Jones
Risk Assessment (Karedes)
Quantitative Risk Assessment in Aviation Safety Risk Management Hewitt, Pham
Tutorial
Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke, Damstra, Villhauer (2 hrs)2:30 -
3:20 How Complex Systems Fail-I: Decomposition of the Failure Histogram Zito
4:00 - 4:50 6:00 - 10:00
Wolfgang Puck Dinner and Lightning Show at the Museum of Science
Program ISSC2013
Tutorial
Why You Should Care About the “-Ilities”! Southwick (3 hrs)
G-48 Meeting
9:00 - 9:50
Research on Evaluation Index and Method of CRM Dynamic Training Wang, Liu, Bai, Liu, Guo, Guo
10:30 - 11:20
Human Reliability Analysis for Detection and Suppression Activities in Response to Fire Events Garvey, Joglar, Collins
1:30 - 2:20
Tutorial
Where Hard Meets SOFT: Human Factors Role In System Safety Engineering Brisbois (2 hrs)
Workshop
Aircraft Fire & Explosion – How Safe are the Friendly Skies Moussa
G-48 Meeting (continued)
Tutorial
Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)
2:30 - 3:20
4:00 - 4:50
18
sCheDUle thUrSday, 15 aUGUSt 4th Floor: 8:00 - 5:00 Registration Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 - 5:00 Presenter Prep
Berkley Clarendon Dartmouth 8:00 - 8:50
Space Systems (Durmaz)
Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety Policy Dang, Moran, Jackson
Weapons Safety (Southwick)
Security Critical Software — the Necessary Frontline Defense of System Safety in Today’s Dangerous Nuclear Age Alborzi
Hazard Identification (Oliver)
9:00 - 9:50
Tailoring of MIL-STD-882E for Space Systems Acquisitions McDougall, Jackson
Origin of Test Requirements and Passing Criteria for the Qualification of Pyrotechnics Adams, Tomasello
Certification of Safety Products in Compliance with Directives Using the CER and CoVeR Methods Myklebust
10:30 - 11:20
Cryogenic Safety for Space Launch Vehicles During Ground Operations Iyengar
A Safety Analysis Approach to Science & Technology and Quick Reaction Capability Weapon System Projects Pham, Sivapragasam
Design With Safety Eye Erdem, Aydin
Awards Luncheon, Salons A-E Menu: Ceaser Salad, Ricotta and Manchego Torteloni, Sweet Italian Sausage, Broccolini, Artichoke, Roasted Tomato Pesto, Butter Sauce, White Chocolate and Blood Orange Torte 1:30 - 2:20
Aerospace Software (Beecher)
Making the Implicit Explicit: Towards an Assurance Case for DO-178C Holloway
Public Safety II (Laabs)
Hazard/Risk Management II (Kniess)
Towards Automatic Verification of Safety Properties in AADL System Models Björnander, Graydon, Land
2:30 - 3:20
Uncertainty and Confidence in Safety Logic Graydon
Safety in Deepwater Well Containment Operations Robins
Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error Events Allison, Jerdak
4:00 - 4:50
Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace System Yang, Xie, Yousefi
A Taxonomic Analysis On Chinese Special Equipments “Yinhuan” in Supervision Fan, Luo, Lu
Leading Indicators in Aviation Operations Fletcher, Dokas
Program ISSC2013
Tutorial
Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo, Huang (6 hrs)
Panel
Committee & Group Meetings
2:30 - 3:20
4:00 - 4:50
Clarendon Dartmouth Regis 8:00 - 8:50 Workshop
Process Safety Culture Best Practices Pearlman (2 hrs)
Best Paper 1 Lessons Learned & ISSC Staff Turn-over Meeting8:50 - 9:30 Best Paper 2
10:00 - 10:40 10:50 - 11:30
20
3, 2, 1 SAFETY System safety is paramount. It impacts our products, employees, technicians, and
maintenance personnel. And safety is no accident – it is designed into everything we do. We are proud to sponsor this year’s International System Safety Conference and
their mission to think outside the box when it comes to the best processes, methods, and techniques. We’re committed to delivering innovative ideas and solutions that
help connect, protect, and explore our universe.
www.lockheedmartin.com/ssc
© 2
Program ISSC2013
21
tUtOrials The conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC. Attending tutorials, as well as other elements of the Technical Program at the 31st ISSC, meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP). The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials. CEUs are issued on the basis of 0.1 CEU per instructional contact hour. You must be present for at least 90% of the tutorial to receive CEUs and a tutorial completion certificate. Your attendance is verified via the process outlined below:
At the start of the tutorial, you’ll clearly print your name in the attendance form exactly as you want it • to appear on the certificate. After returning from each break during the tutorial (morning, lunch, and/or afternoon), you’ll initial • the attendance form. You must be present at the end of the tutorial to receive your certificate and the CEUs. •
If there are misspellings on the CEU certificates, please mark the corrections, give back to the instructor or leave at the registration desk.
Monday // 08·12·13 // 8:00-11:30 // ExEtEr // tutorial 0.3 CEu
Hands-On System Safety Basics, Focused on FHA Instructors: Werner Winkelbauer; Gabriele Schedl; Safety Management Department, Frequentis AG, Vienna 1100, Austria An overview of a generic safety process, best suited for small to medium sized projects, in relation to the project lifecycle, is given. For each major project phase the respective safety process phase, safety objectives, necessary in- and outputs are detailed. Some state-of-the-art analysis techniques are explained. Special emphasis is placed on the Functional Hazard Assessment, where a practical guidance for a Functional Failure Modes and Effects Analysis is presented.
The content of this tutorial is based on experience from an international working company.
Objective: Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis
Monday // 08·12·13 // 8:00-11:30 // FairFiEld // tutorial 0.3 CEu
Introduction to Fault Tree Analysis Using CAFTA Software Instructors: Jean Francois Roy, Nuclear Division/Risk & Safety Management Group, Electric Power Research Institute, Palo Alto, CA, USA This tutorial will introduce Fault Tree Analysis using CAFTA Software. Attendees will be first reviewing fault tree methodology and terminology. Construction of a fault tree model in CAFTA will then follow a brief review of CAFTA’s components and symbol types. In constructing the Fault Tree model, topics covered will include projects, navigation, editing, shortcuts and how to add probabilities. An overview of basic event probability formulas, type codes and variables will be included, as well as printing and quantification processes.
tuEsday // 08·13·13 // 8:00-5:00 // arlington // tutorial 0.6 CEu
A Tutorial on STPA : A New, More Powerful Hazard Analysis Technique Instructors: Nancy G. Leveson, PhD; John Thomas, PhD; Aeronautics and Astronautics, MIT (Massachusetts Institute of Technology), Cambridge, MA, USA STAMP is a new accident causality model that expands on the old models in order to handle the increased complexity, software, and changing human roles in today’s systems. Using STAMP as a foundation, new
22
tools have been built for hazard analysis (STPA), accident analysis (CAST), organizational risk analysis and risk management, etc. This tutorial will concentrate on STPA. The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering. The rest of the time will be devoted to learning STPA and doing exercises. Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work.
STPA is being used successfully in most every industry. Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques. In all cases, STPA found all the hazard scenarios found by the other methods, but also found additional ones involving software, human errors, and unsafe interactions among system components. In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts), STPA was the only method that found the real accident scenario.
By the end of the tutorial, attendees will be able to apply STPA to a system in their field of expertise.
tuEsday // 08·13·13 // 8:00-11:30 // FairFiEld // tutorial 0.3 CEu
Assurance Cases as Means of Evidence Based Developed of Critical Systems Instructors: George Despotou, BEng, MSc, PhD, CEng, Department of Computer Science, University of York, York, United Kingdom Often developers have the onus to defend a position (i.e. make a case) about the safety of their system. This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed.
Safety cases have been used in the safety domain for a number of years, mostly in the defence, aerospace and energy domains. Their usefulness, as a tool to improving safety, has been appreciated by many practitioners, and development of a safety is a requirement in many standards. This has resulted in the core concepts of safety cases to be transferred to other domains (e.g. automotive), and their focus on other system attributes (e.g. security cases). Recently the term assurance case has been introduced, which encompasses not only safety, but other relevant critical aspects of a system, such as security.
A case exists to communicate an argument. It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available. A case is a device for communicating ideas and information, usually to a third party (e.g. a regulator). In order to do this convincingly, it must be as clear as possible. Safety case definition may bear differences in different domains, but all definitions converge to a set of characteristics.
Development of a (safety) case is a requirement in many standards. However, the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice. The reason for this is that explicitly capturing all reasoning, and information (about the supported position) such as assumptions and evidence, facilitates assessing the fitness of the design to meet its (safety) objectives. A manufacturer will design a system aiming to achieve the required operational attributes. However what is intended is not often what achieved. Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence, the gap between what was intended and what achieved becomes more apparent.
Explicitly documenting a case will contribute towards the factual representation of the system, revealing which claims can be supported by evidence and which, remain intention (for example, because there is no sufficient evidence to support them). This may not necessarily imply that the latter claims have not been implemented, but that we are unaware about their achievement as they are not sufficiently supported. There can be three reasons as to why a claim is not sufficiently supported: a) there is not sufficient evidence to warrant the claim, b) although there is evidence, there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim, and c) the claim was phrased in a way that is unsupportable.
The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards), will explain the main challenges in developing an assurance case, their relationship to safety standards
Program ISSC2013
(safety cases and standards serve different purpose and should be seen as complementary), and present best practice (and misconceptions) regarding assurance cases.
tuEsday // 08·13·13 // 8:00-11:30 // suFFolk // tutorial 0.3 CEu
Practical Generation of Safety Cases with the Help of GSN Instructors: Andreas Gerstinger; Gabriele Schedl; Safety Management Department, Frequentis AG, Vienna 1100, Austria This tutorial will introduce you to the concept of safety cases. Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment. Several standards require the production of such safety cases as a prerequisite for approval. The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases, the Goal Structuring Notation (GSN). There will be practical examples which need to be solved by the attendees, so that hands-on practice and experience is gained.
Detailed outline of the tutorial:
Introduction (1h): The tutorial will start with a survey of current safety standards (IEC 61508, ISO 26262, EN 50128, DO-178C,...) and analyse their views and requirements regarding safety cases. We will then delve into the nature of safety cases, briefly touch their historical origins, and clearly consider what can and what can’t be expected from a safety case. Based on our practical experience we will also highlight some typical bad practices when constructing safety cases. This helps to correctly and critically read them, and is also a helpful guideline for reviewing other safety documentation. This part of the tutorial is largely a presentation.
Goal Structuring Notation (45min): We will now introduce the main elements of the Goal Structuring Notation (GSN), which is a helpful tool to document safety cases. The presentation of the notation will be interleaved with brief examples, exercises and questions, so that attendees have the chance to fully understand the meaning and purpose of the various symbols. A structured method how to proceed when drafting safety cases will also be presented. Hence, this part of the tutorial is much more interactive, requiring active participation of attendees.
Case Study (45min): A realistic case study will then be handed out. It is expected to be solved as a group work (groups of 3-5 people are expected). The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment. GSN shall be used as a notation for this purpose. At the end, the groups present their solutions, and the advantages/disadvantages of the presented solutions are discussed. This part of the tutorial is a group work.
Concluding Remarks (30min): Finally, we will bring some concluding remarks, consisting of hints how to avoid common errors and fallacies in safety cases, show some examples of real-world safety cases and a we will finish with a personal conclusion.
tuEsday // 08·13·13 // 1:30-5:00 // suFFolk // tutorial 0.3 CEu
Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Instructors: Ronald E. Fitzgerald, D.P.A., P.E., C.S.P., Safety Department, URS -- Umatilla Chemical Agent Disposal Facility, Hermiston, OR, USA The focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession. Domain of Interest: Hazard/Risk Management or Workplace Safety.
First hour: Review the basics of the various components of risk and types of risk assessments. Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency.
24
Second hour: Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company/ industry. Also, provide insights on how to “sell” a risk management policy/program within a company.
Third hour: A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities; the planning, organizing, staffing, leading, and controlling of a safety program. Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program.
WEdnEsday // 08·14·13 // 8:00-11:30 // FairFiEld // tutorial 0.3 CEu
Why You Should Care About the “-Ilities”! Instructors: Alan E. Southwick, BSEE, MME, MBA, CSP, CQE, CRE, Whole Life Engineering Directorate, Raytheon Company, Integrated Defense Systems, Portsmouth, RI, USA Topic addresses the interrelationships developed from Quality, Quality Control, and Quality Engineering, pursuing Specialty Engineering Roles and Relationships, including: Reliability, Maintainability, Supportability, Human Factors, Safety, and Security (Information Assurance) from an overview perspective. The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed, thereby engaging and providing participants with insights to the various disciplines and how they relate within “Specialty Engineering.”
WEdnEsday // 08·14·13 // 1:30-3:30 // dartMouth // tutorial 0.2 CEu
Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Instructors: Tim R. Behnke, BSEE, John Damstra, BS, Mathematical, Sciences, and Eric D. Villhauer, BS, Aerospace, Eng, BA, Economics, Specialty Engineering, General Atomics Aeronautical, Poway, CA, USA The presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis, per SAE ARP 4761, and the defense approach to safety analysis, per MIL-STD-882E, along with their implementation of the associated hazard tracking system in DOORS.
Introductions - Behnke - 5 mins • Need for System - Behnke - 5 mins • Groundwork (historical) - Behnke - 10 mins • Development - Damstra - 30 Mins •
i. Modules ii. Attributes iii. DXLs iv. Views v. Exports
Usage - Villhauer - 30 mins • Questions - All - 10 mins •
Program ISSC2013
WEdnEsday // 08·14·13 // 1:30-3:30 // ExEtEr // tutorial 0.2 CEu
Where Hard Meets SOFT: Human Factors Role in System Safety Engineering Instructors: Fred W. Brisbois, CHCM, Safety, Sikorsky Aircraft, International Helicopter Safety Team, Guilford, CT, USA The gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors don’t overlap. System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products. These practices, coupled with robust product safety surveillance and management during the aircraft’s service life offer opportunities to continuously raise the standards for future designs. However, to maximize the benefits of safety engineering, it is important to master the ‘art’ of how and when to integrate human factor interventions into the system design. This session will cover a generic overview of system safety engineering, aircraft fleet safety management and lessons learned from ‘human’ malfunctions that led to aircraft system design changes.
WEdnEsday // 08·14·13 // 1:30-5:00 // WEllEslEy // tutorial 0.3 CEu
Using Risk Profiles for Safety Management of Large Scale Operations Instructors: Ronald E. Fitzgerald, D.P.A., P.E., C.S.P., Safety Department, URS -- Umatilla Chemical Agent Disposal Facility, Hermiston, OR, USA This tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations. The tutorial begins with a review of four types of risk which need to be assessed (People, Product, Production, and Planet). This is followed by a brief discussion of normalizing the risk components of severity and probability. The heart of the tutorial is the description of how to measure the total risk of various operations, processes, and facilities and present the resulting risk profiles to management. The tutorial will conclude with a brief discussion on the validity of the methodology used. Note: This is not a discussion on how to determine true total risk, but a simplified method using a minimum of math. Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards.
thursday // 08·15·13 // 8:00-5:00 // ExEtEr // tutorial 0.6 CEu
Conceive of Modeling On Operation Mechanism of Public Safety Standardization Instructors: Yun Luo and Yuecheng Huang, M.E., School of Engineering and Technology, China University of Geosciences (Beijing), Beijing, China On the base of theories and methods of system science and strategy-system, this paper revealed the operation law of standardization of safety production and the relations between all the elements, combined with the background and current situation of public safety standardization in China. It also built the frame of macroscopic operating mechanism and the “456” model of work safety standardization system operation mechanism, which borrowed the idea from execution and achievement of work safety standardization in our country. Besides, it also designed other six mechanism models, in order to do systematically analysis and present optimized countermeasure, such as comprehensive management by government, categorized supervision by department, implementing responsibility by organization, technological service by agency, wide participation by society, self-disciplined prodding by entire personnel and so on. The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization.
26
Panel DisCUssiOns/fOrUms tuEsday // 08·13·13 // 8:00-11:30 // dartMouth // opEn ForuM
Developing Global System Safety Perspectives Moderator: Robert Ward Fletcher P.Eng.; M.Sc., PMP; PCIP, Consultant, President, Robert Fletcher System Safety, Inc.; Ottawa, Ontario, Canada This will be a free form discussion moderated by Bob Fletcher, SSS Director of International Development. It is a continuation of the discussion started during the 30th ISSC.
Robert is a system safety engineer with many years of experience. He has performed system safety consultancy services work for several clients around the world. He performed system safety engineering and safety management systems training, auditing and analysis for air traffic control and flight service system applications. Robert has received a M.Sc. from the United States Navy Post Graduate School, a diploma from the Aerospace Systems School, Winnipeg, Manitoba and a Bachelor of Science degree from the Royal Military College. He is a registered professional engineer, a member of the Project Management Institute, and the Critical Infrastructure Institute.
thursday // 08·15·13 // 8:00-11:30 // suFFolk // panEl
G-48 Workshop - Pressing Issues Facing System Safety Moderator: David B. West, CSP, P.E., CHMM, Systems, Software, and Solutions Operation, Science Applications International Corporation (SAIC), Huntsville, AL, USA A panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today.
WOrkshOPs tuEsday // 08·13·13 // 8:00-11:30 // ExEtEr // Workshop
ISO 26262-Style Risk Assessment Presenter: Jeff J. Joyce, PhD, Critical Systems Labs, Inc., Vancouver, BC, Canada ISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems. Although it was devised for use in the automotive domain, this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software. Following a brief introduction to ISO 26262, participants will engage in a series of problem-solving, small-group exercises based on examples taken from a variety of technical domains including automotive, medical devices, energy and defense. The workshop will include opportunities for discussion and comparison of sample solutions. The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E. While this workshop will be of particular interest to system safety engineers in the automotive industry, it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software- intensive systems.
Program ISSC2013
tuEsday // 08·13·13 // 1:30-5:00 // ExEtEr // Workshop
Application of System Safety Methods to Systems of Systems Presenter: Jeff J. Joyce, PhD, Critical Systems Labs, Inc., Vancouver, BC, Canada; Rami Debouk, Electrical and Controls Integration Lab, General Motors, Warren, MI, USA; Antonio Vergara, ITER Organization, St. Paul-lez-Durance, France This workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) – that is, systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components. Examples of such systems are increasingly common across a variety of technological domains including aerospace, defense, automotive and energy generation/distribution. Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS. For example, an unforeseen interaction between two “correct” behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure. The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely, advanced road vehicles, high energy physics and aerospace/defense. The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations.
tuEsday // 08·13·13 // 1:30-5:00 // FairFiEld // Workshop
Advancing Safety By Reducing Errors: A Fresh Approach Presenter: Tim Autrey, B.Sc, Error Reduction and Human Performance Enhancement, Practicing Perfection Institute, Inc., Swanzey, NH, USA Potential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts, release of chemical vapors, spills leading to exposure to harmful gaseous chemicals, fires and explosions and smoke build up, causing shelter-in-place; impacting the local community, personal injuries, fatalities and plant damage resulting into shut downs. Considering time pressures, dangerous nature of job, weather conditions, lack of communication, poor/inadequate documentation, and remote working locations, planners, locators and refiners often face combined challenges that generate very error-likely conditions.
While unexpected releases of toxic substances do occur, the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved.
This workshop is designed to provide the participants, the awareness that as humans, we are fallible (even the best people make mistakes). However, this being said, as humans we also possess the incredible power of choice. What we must do, is choose to learn from our mistakes and take action/s to prevent their recurrence.
Bird and Germain 1996 rightly said “What is the sense of measuring, if the loss must occur, before you can act? That is reaction, not control”. What we need, is a fresh approach to enhance safe work practices. This session will instill a strong understanding of “The Gap” in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation. The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency.
Practicing Perfection® approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries, simplified them, and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors.
28
Using this innovative approach of Practicing Perfection® safe work practices will be discussed in-depth using the four human error barrier/defense categories and how these work together to prevent/allow an event to occur. The participants will be introduced to the Error Elimination Tools ™ handbook, which offer simple tools for minimizing the potential for error at points of team interaction and individual execution.
WEdnEsday // 08·14·13 // 1:30-3:30 // arlington // Workshop
The Evolution of the UK Defence Safety Standards John McDermid, Professor of Software Engineering at the University of York, UK Issue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year. The UK’s primary defence safety standard, DS 00-56, has been in existence since mid-1990 and has undergone a number of changes, becoming more goal oriented at issue 4 (the current standard). When issue 4 was produced, DS 00-55, the MoD software safety standard, was discontinued. Since the publication of DS 00-56 Issue 4 in 2007, there has been feedback on some of the requirements, including the challenges of applying the ALARP principle, defence contracting has changed with a move towards the greater procurement of services and/or outsourcing management of facilities, and increasing use of Systems of Systems (SoS). Issue 5 of DS 00-56 is being developed to address these issues. At the same time, there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time, albeit in a goal-based style consistent with DS 00-56, and also covering complex electronics. The tutorial will present an explanation of the motivation for the changes to the standards, the significant conceptual changes, and outline the rest of the development process. Time will be allowed for discussion, e.g. the relationship between DS 00-56 and other standards, both civil and military.
WEdnEsday // 08·14·13 // 1:30-3:30 // FairFiEld // Workshop
Aircraft Fire & Explosion – How Safe Are the Friendly Skies Albert Moussa, PhD, P.E. While commercial air travel is an extremely safe mode of transportation, aircraft fires and explosions can occasionally occur with catastrophic consequences. Using examples of recent accidents and full-scale testing, Dr. Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine, fuel tank, cabin and cargo areas. He will show how major accidents lead to safety recommendations by the NTSB, stricter requirements by the FAA and improved practices by the industry. This process takes many years leading eventually to safer skies. Examples of safety improvements include the use of a fire blocking layer in seats, improved acoustic insulation, fire detection and suppression systems in cargo bays and fuel tank inerting. The implications of replacing Aluminum with composite materials will also be discussed. The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion. The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs.
Dr. Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion, particularly for the aerospace/defense industry. His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents. His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media, in both the US and Europe. He has consulted for the Air Force, Navy and major firms such as Boeing, GE, Northrop Grumman and Parker Hannifin, and has served on national advisory committees and on the Editorial Board of an ASME Journal. He teaches a unique professional design course on how to protect aircraft systems against fire and explosion. He received his B.S. from Stanford University and his M.S. and Sc.D. from MIT. He has published widely including one book. He has received several honors, including the William Littlewood Memorial Lecture Award by SAE/AIAA, Engineer of the Year by AIAA NE Section, best papers by SAE and ASEI, AIAA Distinguished Lecturer and several ASME citations. He is
Program ISSC2013
29
the Founder and Technical Director of BlazeTech Corp. an engineering firm that specializes in technology and software development in the area of energy, environment and safety.
Friday // 08·16·13 // 8:00-10:00 // ClarEndon // Workshop
Process Safety Culture Best Practices Presenter: Laurence Pearlman, MA, Corven, Inc. and University of Illinois at Urbana Champaign, Naperville, IL, USA The workshop explores how process safety is more than a technical solution and involves cultural change. To make a successful and sustainable culture change, multiple elements need to be combined that address people, rewards, learning and leadership. This workshop will explore best practices and give practical advice on how to build a process safety culture. The workshop is aimed at Oil, Chemical and other process related work.
Introduction • Change as a Journey: Overview of Change Management • Building a Business Case: Defining a Burning Platform • Speaking of Process Safety: Creating a Common Language for Process Safety • Leadership Matters: Defining the Role of Your Leadership Teams • Effective Learning: Segmenting Your Audiences and Delivering Relevant Learning Activities • Looking at Behaviors and Desired Outcomes: How To Define & Drive Behaviors • The Employee Lens: Know My Barriers & Know My Role in Keeping Them Healthy • Measurement of Culture: What Works and What Doesn’t • Wrapping it Up: Change as a System•
You have a lot on the line Our adaptive Safety Management and FAA Compliance solutions won’t let you down. Adaptive SMS — The comprehensive solution for the most
efficient implementation
Easily guides users to confidentially report useful safety events
Responsiveness shows users they made a difference
Adaptive Systems Safety Analysis — Safety oriented system
design analysis
Don’t miss the Sikorsky Aircraft and AST Aerospace presentation,
“Linear Integrated Safety Analysis (LISA)”
A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES
1-732-230-2590
sales@astaerospace.com
www.astaerospace.com
30
PaPer PresentatiOns Monday // 08·12·13 aM // BErklEy // hazard analysis // Chair: BarondEs
Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind; Dr. Gabriele Schedl; Juergen Floetzer; Safety Management Department, Frequentis AG, 1100 Vienna, Austria Multiple failures of components due to shared causes, also known as Common Cause Failures (CCF), comprise an important class of failure types. These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept. Whereas a qualitative assessment of CCF can be regarded as common practice, the exact numerical impact of CCF is usually less widely understood. Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs. Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis, an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models. This paper aims to enable safety experts to make a fast, simple but effective RAM-analysis including CCF. Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project. The single parameter beta- factor model is explained in detail and demonstrated to be most effective for typical ATM-applications. Based on this model, results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements.
Identification of Safety Critical System, Hardware, and Software Requirements Using Fault Trees Wes Rainey, MSEE, Life Cycle Engineering, General Dynamics Electric Boat, Groton, CT, USA Fault Trees prove to be an effective tool for identifying safety critical system, hardware, and software requirements during the Safety Requirements Hazard Analysis (SRHA) process. This safety analysis methodology offers significant benefits when performing the SRHA. Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers, systems engineers, the customer, and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness. Fault Trees also enhance the safety engineer’s ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events, and allowing for common events to be identified and shared between hazards. Fault Trees can then be structured to correspond to the system, hardware and software requirements analysis, thus providing the ability to identify hazard mitigating safety critical requirements, design features, and procedures early in the development process for continued tracking and management. This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump.
The Role of Architectural Model Checking in Conducting Preliminary Safety Assessment Omar T. Jaradat, PhD, Student1; Patrick J. Graydon, Postdoctoral, Research, Fellow1; Iain Bate2; (1) School Of Innovation, Design and Engineering, Mälardalen University, Västerås, Sweden, (2) Department of Computer Science, University of York, York, United Kingdom Typical safety standards require software engineers to show that a plan of safety activities—chosen from recommended options or alternatives—meets a set of objectives. For example, the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements. In this paper, we show how an existing approach to architectural model checking could be used to conform to ISO 26262.
The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models. An engineer transforms the AADL architecture into an UPPAAL model, generates a set of UPPAAL queries, and uses UPPAAL to check the queries. Using the resulting evidence, we have created a partial ISO 26262 safety
Program ISSC2013
31
case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control.
In this paper, we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case. We then critically analyze the resulting argument, recommend means of achieving complete coverage of ISO 26262 objectives, and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262.
Monday // 08·12·13 aM // ClarEndon // ground transportation // Chair: Millin
Achieving Confidence of a Safety Critical System Product and Its Applications Fenggang Shi, PhD, RAMS Department, Thales Canada Transportation Solutions, Toronto, ON, Canada A safety critical system product can be developed for multiple project applications, such as a Communication Based Train Control (CBTC) product for modern railway signaling systems. It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment. Such a product must be developed based on the generic attributes of systems in the domain, and can be parameterized and tailored to a specific system with the characteristics expected by the customer. The key issues in development of such a product are defining common functions in the application domain, categorizing and generalizing devices, and designing configurable system architecture. Thus, devices and functions can be parameterized and tailored for a specific system of a project. Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management. This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications. Safety confidence of CBTC systems is achieved through four layers of safety engineering: vital computer, controller platform, generic application, and specific application.
Failure Logic Automata for Future Oriented Safety Assessment of Train Control System Guo Zhou, PhD, Student; Huibing Zhao, Professor; School of Electronic and Information Engineering, Beijing Jiaotong University, Beijing, China In the development progress of train control system safety analysis possibly deviates from system design. System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met. On contrary, when safety engineers expose their manual analysis reports, FTA and FMECA etc., system engineers may pop up and point out the inconsistency. Intuitively, there seems like a “gap” between system engineering and safety engineering. In this paper some comparisons amongst classic safety assessment methods are performed first. Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design. The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety. The mathematic model is constructed to manifest the correctness of the method. An instance analysis of on- board train protection system is performed also.
Are We Ready for Driverless Cars? David B. West, CSP, P.E., CHMM, AMCOM/AMRDEC Operation, Science Applications International Corporation (SAIC), Huntsville, AL, USA For decades, technological advancements have continually improved the automobile, making it easier to drive. As we integrate features like adaptive cruise control, GPS navigation, lane keeping, and so on, and make them interoperable, we move ever closer to having cars that will drive themselves to the destinations we enter into their programs. Some experts have even predicted that in less than a generation, it will be illegal to steer our cars ourselves! Though it may seem that serious safety challenges constrain our movement down this path, it may actually be the safety benefits offered by driverless cars that propel us in this direction. Several high-profile competitions have fostered the
32
development of driverless car technology. Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads. With driverless cars will come major changes in legal processes involving accidents. In many ways, the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace. Design standards for hardware and software in civil aircraft (e.g., RTCA DO-254/DO-178) may serve as models for similar qualification of driverless car hardware and software.
tuEsday // 081313 aM // BErklEy // hazard/risk ManagEMEnt // Chair: parizo
Safety is not an Option Clifford A. Parizo, B.S., M.S., Aviation & Product Safety, Sikorsky Aircraft Corporation, Stratford, CT, USA; R. Brandon Daugherty, B.S., M.S., Aviation & Product Safety, Sikorsky Aircraft Corporation, Huntsville, AL, USA This paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors. Guidance from certifying agency policy and system safety standard practice were considered, resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional. The methodology developed may have applications for other products and industries.
National Aerospace Standard 411 Update Timothy Sheehan, CIH, CSP, PE, Raytheon Global Substances Program, Raytheon, Portsmouth, RI, USA This paper describes the effort to review and update National Aerospace Standard 411 (“NAS 411”), commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems. The scope of the effort includes both a review of the standard and the introduction of several key changes, including the expansion of the scope to non-military procurements and service contracts. Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists. The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and/ or MIL-STD 882E Task 108 to conduct their HMMPs. There is no current standard approach now for developing these lists; as a result there are numerous different materials identified for restrictions and reporting requirements. The current situation often does not support (or reflect) the hazmat risk management goals of the DoD, the military services or the contractors.
Linear Integrated Safety Analyses (LISA) Michael T. Grant, Aviation & Product Safety, Sikorsky Aircraft Corp., Stratford, CT, USA; Samad Muhammad, Atlantic Software Technologies, Inc., New York, NY, USA This paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky). The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs. It is linear in that each assessment is repeated at the aircraft, system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements. Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application. The end product will be a fully integrated system safety process that is comprehensive, repeatable and traceable.
tuEsday // 081313 aM // ClarEndon // WorkspaCE saFEty // Chair: kondrECk
Thermal Protection and Thermal Comfort: An Evaluation of the Fabrics Used in Chef ’s Uniforms Against Thermal Hazards in the Kitchen Han Zhang, M.Sc., Candidate; Rachel McQueen, M.S., PhD; Jane Batcheller, PhD, Human Ecology, University of Alberta, Edmonton, Alberta, Canada Burn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity. Limited
Program ISSC2013
33
research has been performed on safety issues related to chef ’s uniforms regarding thermal protective performance towards common kitchen thermal hazards (i.e., flames, hot liquids, steam and hot surfaces) and the thermal comfort within commercial kitchens. The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef ’s uniforms in order to understand how protective they are against all these thermal hazards in such environment. Selected thermal performance tests (i.e., flammability and ease of ignition, hot water and oil splash and steam testing under low pressure, and hot surface contact tests) were applied to predict the time to second-degree burn. Different fabric layers combinations (e.g., impermeable/semipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef ’s uniforms. In addition, thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort. Based on the obtained data from bench scale tests, recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef ’s uniforms and the safety within commercial kitchens.
A Roadmap for Future Noise Control in Acquisition: Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise Sources Ray Fischer1; Kurt Yankaskas, BS2; Chris Page1; (1) Noise Control Engineering, Inc., Billerica, MA, USA; (2) Warfighter Performance Department, Office of Naval Research, Arlington, VA, USA Noise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment. Concurrently, acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors. Common impediments to improved control include relative lack of emphasis on risk management of noise; lack of widespread technical knowledge regarding the feasibility of noise control; and misunderstanding of potential return on investment from noise controls. The Defense Safety Oversight Council’s Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing
34
technologies at an affordable cost. A system engineering risk management process was applied to review key noise sources in DOD; identify nine of the more common sources amendable to control technologies and describe common control measures for these processes. An affordable containment (acoustic enclosure) technology was also evaluated and described. Estimates were made of exposed populations, the range of their occupational exposures and potential risk and fiscal cost of hearing loss. Cost-benefit analyses were applied to evaluate the return on investment from available control measures
System Safety Design for Safe Operation of Radars Ronald J. Bartos, PE, CSP, Whole Life Engineering, Raytheon, Sudbury, MA, USA Safe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs. These analyses include identification of the hazards involved in operating and maintaining radars, and the safety requirements that are necessary to mitigate these hazards. This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars. The safety features are contrasted among different types of radars. The differences in the types of safety features among these systems are highlighted and factors for these differences are presented. The radar’s mission, location, system architecture, conceptual design, and requirements allocation between hardware and software need to be understood in order to implement an effective safety program.
tuEsday // 081313 pM // BErklEy // soFtWarE EnginEEring // Chair: Mikula
Dependability Techniques Applied to Space Software - A Research Project Report Carlos Henrique Netto Lahoz, Dr., Eng., Electronic Division, Institute of Aeronautics and Space (IAE), São José dos Campos (SP), Brazil; Martha Adriana Dias Abdala, M., S., Electronic Division, Institute of Aeronautics and Space IAE, Sao Jose Campos, Brazil This work reports some results of a research project performed at Institute of Aeronautics and Space IAE/ Brazil using dependability techniques applied to space computer system. Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner, and more recently the System-Theoretic Process Analysis-STPA has been studied. This research is part of the Verification and Validation (V&V) efforts to increase software dependability capability in software projects at IAE.
The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS). The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software.
The techniques are adjusted and used in combination to identify common causes of software failures, its criticality, performance problems, temporal misleading and hazards arising mainly from dysfunctional interactions between components. The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events. The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated.
The Principles of Software Safety Assurance Richard Hawkins, PhD; Ibrahim Habli, PhD; Tim Kelly, PhD; Department of Computer Science, University of York, York, United Kingdom We present common principles of software safety assurance that can be observed from software safety standards and best practice. These principles are constant across domains and across projects, and can be regarded as the immutable core of any software safety justification. The principles also help maintain understanding of the ‘big picture’ of software safety issues whilst examining and negotiating the detail of individual standards, and provide a reference model for cross-sector certification.
Program ISSC2013
35
Formal Modelling in the Development of Dependable Systems Elena Troubitsyna, PhD, It, Abo Akademi University, Turku, Finland Nowadays we tend to place increasing reliance on computer-based systems and software which they are running. The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability. However, the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability. While a number of existing methods and tools address certain aspects of dependable systems development, there is still a lack of powerful dependability-explicit techniques for developing software for complex systems.
It is widely recognized that complexity poses a major threat to dependability. Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process, which is aimed at producing fault free software. Moreover, the system environment has a direct impact on its dependability and hence systems approach should be applied.
In the paper we discuss advances in creating a formal dependability-explicit development process, demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases.
tuEsday // 081313 pM // ClarEndon // aErospaCE saFEty // Chair: kraEMEr
Systems-Based Approach to Flight Safety Management in Airlines Hong Chi, PhD; Baoguang Xu, PhD; Mingliang Qi, PhD; Xueyan Shao, PhD; Institute of Policy and Management, Chinese Academy of Sciences, Beijing, China Safety risk management is one key component of ICAO’s safety management system (SMS). The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS. From 2006, we work with one of China’s 3 big airlines, taking part in its construction of SMS. We find that safety risks have their own features in different airline’s departments and divide safety risks into two categories: one is caused by factors, such as quality of pilots, reliability of airplanes, and the other is caused by misprocessing through operational processes, for example, a misprocessing in data entry during dispatching may lead to insufficient fuel, and then serious outcomes. A reasonable risk assessment can be obtained only by systematic mechanism analysis, and other analytical approaches need to be studied besides risk matrix. Based on this, effective risk mitigation can be implemented in airlines. We develop a closed loop to support airline’s flight safety management, named “Describing-Assessing-Diagnosing -Improving- Tracking”. Specific details will be discussed in this paper.
Use of Master Minimum Equipment List (MMEL) to Ensure Safe Dispatch Burak Durmaz, M.Sc., Eng, Product Assurance Department, Space Systems Group, Turkish Aerospace Industries, Inc. (TAI), Ankara, Turkey Even if the new generation aircrafts have rugged designs which are maximizing reliability, exposure to failures during operation is still indispensable. With a pure safety approach, one can lead to the classical result: “the safest aircraft is the one in hangar”. Vice versa, allowing dispatch without ensuring certain level of safety can lead to catastr