thank you sponsors exhiBitors amp partnersCorporate sponsorSikorsky Aircraft Corporation 8 14

Gold sponsors A-P-T Research Inc 6 4Boeing 4 10Lockheed Martin 20 11Lockheed Martin Aeronautics Company 3 3

silver sponsors Atlantic Software Technologies Inc 29 13Bastion Technologies Inc 33 3Isograph Inc 49 2University of Maryland 47 12

exhibitorsAdvanced Logistics Development 39 15Board of Certified Safety Professionals 24 8Electric Power Research Institute 44 9International System Safety Society 51 7MathWorks Inc 36 5

partnerThe Institute of Engineering and Technology

Advertisement Page Booth Location

System Safety Society bull PO Box 70 Unionville VA 22567-0070 USA bull wwwsystem-safetyorg

Cover images courtesy of Greater Boston Convention amp Visitors BureauDesigned and published by A-P-T Research Inc Publications

12131415 11 10

4321 5 6

789

Exit

Arlington Berkeley Clarendon Darthmouth

Gloucester

Entrance

ServiceRest Rooms

Service

Exeter Faireld

Exit

Exit

Utility

Utility

Utility

GOING THE DIsTaNcEREDucINGRIsks

Paper PresentationsbullTutorialsbullPanel DiscussionsbullJust In Time Sessionsbull

THINGs TO DO IN BOsTON

Freedom Trail Fenway Park New England Aquarium

Museum of Science Boston Common Paul Revere

House Samuel Adams Brewery Museum of Fine Arts

Boston Harbor Islands Faneuil Hall Marketplace

ProgramISSC

2013

31ST I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

BO

STON

MASSACHUSETTS middot AUGUST 12

-16

201

3

SAFETY FORTHE

LONGRUN

Boston Marriott Copley plaCe

Presenter PrepLessons LearnedISSC Sta Turn-Over MeetingSpeakerrsquos BreakfastISSC TracksTutorials

Opening CeremonyGeneral MeetingLunchesRegistrationReceptionExhibitor Area

ATRIUMAREA

ELEVATORS

SERVICEELEVATORS

PHONES RESTROOMS

RESTROOMS

WOMEN

WOMEN

MEN

MEN

FOYER OPEN TO2ND FLOOR

RESTAURANT

ESCALATORS3RD FLOOR

ATRIUMLOUNGE

3RD FLOORATRIUM

FAIRFIELD

GLOUCESTER

EXETERDARTMOUTH

CLARENDON

BACK BAY CONFERENCE AND EXHIBITION CENTER NORTHEASTERN

SIMMONS BOSTON UNIV

BRANDIES

WELLESLEY

SUFFOLK

TUFTS REGIS

BERKELEY HARVARD

ARLINGTON MIT

OFFICE B

ESCALATORS

OFFICE A

ATRIUMFOYER

ATRIUMAREA

ELEVATORS

SERVICEELEVATORS

NANTUCKET

PROVINCETOWN HYANNIS

YARMOUTH

VINEYARD

FALMOUTHORLEANS

RESTROOMSWOMEN MEN

SALON H SALON I

SALON G SALON F SALON E

BALLROOM FOYER

REGISTRATION

SALON A SALON B

SALON CSALON D

SALON K SALON J

FOURTH FLOOR

THIRD FLOOR

2

ProgramISSC2013

1

Organizing COmmittee

COntentsGeneral Information 2Greetings 5Speakers 10Schedule 12Tutorials 21Panel DiscussionsForums 26Workshops 26Paper Presentations 30Special Functions 50About the System Safety Society 52

Conference ChairPam Alte

Co-Chair Cliff Parizo

Technical Program Co-ChairsGary Braman Norman Gauthier

SponsorExhibitor ChairLindsey Eirich

International Chair Bob Fletcher

Financial ChairCathy Carter

Off-Site Events Alan Oliver

Webmaster Don Swallom

Logistics Equipment Richard Anderson

PublishingHeather French

CEU CreditRod Simmons

32nd ISSC LiaisonPam Kniess

The following volunteers contributed to the success of the conference

Pam Alte 31th ISSC Chair

2

general infOrmatiOnregistration Desk All 31st ISSC attendees including sponsors and exhibitors must register at the registration desk located on the 4th Floor Registered attendees will receive badges which should be displayed while in any ISSC area (including luncheons) Once a badge is issued it is the responsibility of the registrant to ensure that it is not lost Sponsors may change the names on their badges as often as they want but the old one must be turned in to receive a new name

special events Spouses or exhibitors may purchase tickets for luncheons or the off-site event at the registration desk up to 24hrs prior to the event Tickets for the Wednesday night off-site event at the Museum of Science will be $9000 for adults or $5500 for children Tickets to the luncheons on Tuesday Wednesday and Thursday are $4500lunch for any attendee Spouses and guests are welcome to attend the Tuesday evening Sponsors and Exhibitor social free of charge

internet Internet will not be provided in the conference locations However should you require internet access during the conference there is complimentary wireless available in the lobby and other public areas There are also internet options available to each guest in their room

transportation The Marriott Copley Place is located 32 miles away from the airport The subway cost (one way) is $250 and the estimated taxi cost is $3500 While rental cars are

available parking costs in Boston tend to be pricey Alternative means of getting around include taxis the subway or walking

tutorial Program amp CeUs The conference includes several information-packed tutorials in addition to the papers being presented Attending tutorials along with other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) Continuing Education Units (CEUs) will be issued for participation in the Conference tutorials You must be present for the entire tutorial in order to be granted the CEUs Attendance will be taken at the start of the tutorial after each break and you must be present at the end to collect your certificate CEUs are issued on the basis of 01 CEU per instructional contact hour

Dress Code We want you to feel comfortable while you are attending the 31st ISSC so we advise lsquobusiness casualrsquo attire The awards ceremony which is a part of the Thursday luncheon is a time when many attendees will dress in more formal business attire The Tuesday night Sponsor and Exhibitor social and the Wednesday night off-site event are also business casual dress

Daily news The ISSC Daily News will be available at 730 each morning both at the registration desk and in the SponsorExhibitor area This will announce any room changes schedule changes or other information pertinent to the

proceedings of the conference

spousal Program There are no tours provided by the ISSC for spouses this year However there is an information session to be held on Monday Brochures will be made available along with maps and ideas of attractions to visit If a spouse is unable to make this information session the hotel concierges can answer questions about local attractions how to use the subway available tours or dining suggestions

Wednesday night Off-site event Bus transportation will leave the Marriott Copley Place starting at 600pm and bring attendees to the Museum of Science The ISSC will have the Blue Wing reserved from 630pm to 1030pm and will receive a private lightning demonstration in the Theater of Electricity buffet dinner and a cash bar Spousalguest tickets can be bought at the registration desk up until 24 hours before however to ensure a smoothly-run event we encourage you to purchase extra tickets when you register This is sure to be an event you wonrsquot want to miss

ProgramISSC2013

3

Safety is paramount Thatrsquos why at Lockheed Martin safety is designed into everything we do Our system safety engineers follow proven government

and industry standards plans processes and lessons learned to build the worldrsquos most safe supportable and technologically advanced aircraft

Lockheed Martin is proud to sponsor this yearrsquos International System Safety Conference and applaud their mission to ensure system safety for the long run

wwwlockheedmartincom

ENSURING SAFETY FOR THE LONG RUN

copy 2

013

Lock

heed

Mar

tin C

orpo

ratio

n

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

GOING THE DIsTaNcEREDucINGRIsks

Paper PresentationsbullTutorialsbullPanel DiscussionsbullJust In Time Sessionsbull

THINGs TO DO IN BOsTON

Freedom Trail Fenway Park New England Aquarium

Museum of Science Boston Common Paul Revere

House Samuel Adams Brewery Museum of Fine Arts

Boston Harbor Islands Faneuil Hall Marketplace

ProgramISSC

2013

31ST I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

BO

STON

MASSACHUSETTS middot AUGUST 12

-16

201

3

SAFETY FORTHE

LONGRUN

Boston Marriott Copley plaCe

Presenter PrepLessons LearnedISSC Sta Turn-Over MeetingSpeakerrsquos BreakfastISSC TracksTutorials

Opening CeremonyGeneral MeetingLunchesRegistrationReceptionExhibitor Area

ATRIUMAREA

ELEVATORS

SERVICEELEVATORS

PHONES RESTROOMS

RESTROOMS

WOMEN

WOMEN

MEN

MEN

FOYER OPEN TO2ND FLOOR

RESTAURANT

ESCALATORS3RD FLOOR

ATRIUMLOUNGE

3RD FLOORATRIUM

FAIRFIELD

GLOUCESTER

EXETERDARTMOUTH

CLARENDON

BACK BAY CONFERENCE AND EXHIBITION CENTER NORTHEASTERN

SIMMONS BOSTON UNIV

BRANDIES

WELLESLEY

SUFFOLK

TUFTS REGIS

BERKELEY HARVARD

ARLINGTON MIT

OFFICE B

ESCALATORS

OFFICE A

ATRIUMFOYER

ATRIUMAREA

ELEVATORS

SERVICEELEVATORS

NANTUCKET

PROVINCETOWN HYANNIS

YARMOUTH

VINEYARD

FALMOUTHORLEANS

RESTROOMSWOMEN MEN

SALON H SALON I

SALON G SALON F SALON E

BALLROOM FOYER

REGISTRATION

SALON A SALON B

SALON CSALON D

SALON K SALON J

FOURTH FLOOR

THIRD FLOOR

2

ProgramISSC2013

1

Organizing COmmittee

COntentsGeneral Information 2Greetings 5Speakers 10Schedule 12Tutorials 21Panel DiscussionsForums 26Workshops 26Paper Presentations 30Special Functions 50About the System Safety Society 52

Conference ChairPam Alte

Co-Chair Cliff Parizo

Technical Program Co-ChairsGary Braman Norman Gauthier

SponsorExhibitor ChairLindsey Eirich

International Chair Bob Fletcher

Financial ChairCathy Carter

Off-Site Events Alan Oliver

Webmaster Don Swallom

Logistics Equipment Richard Anderson

PublishingHeather French

CEU CreditRod Simmons

32nd ISSC LiaisonPam Kniess

The following volunteers contributed to the success of the conference

Pam Alte 31th ISSC Chair

2

general infOrmatiOnregistration Desk All 31st ISSC attendees including sponsors and exhibitors must register at the registration desk located on the 4th Floor Registered attendees will receive badges which should be displayed while in any ISSC area (including luncheons) Once a badge is issued it is the responsibility of the registrant to ensure that it is not lost Sponsors may change the names on their badges as often as they want but the old one must be turned in to receive a new name

special events Spouses or exhibitors may purchase tickets for luncheons or the off-site event at the registration desk up to 24hrs prior to the event Tickets for the Wednesday night off-site event at the Museum of Science will be $9000 for adults or $5500 for children Tickets to the luncheons on Tuesday Wednesday and Thursday are $4500lunch for any attendee Spouses and guests are welcome to attend the Tuesday evening Sponsors and Exhibitor social free of charge

internet Internet will not be provided in the conference locations However should you require internet access during the conference there is complimentary wireless available in the lobby and other public areas There are also internet options available to each guest in their room

transportation The Marriott Copley Place is located 32 miles away from the airport The subway cost (one way) is $250 and the estimated taxi cost is $3500 While rental cars are

available parking costs in Boston tend to be pricey Alternative means of getting around include taxis the subway or walking

tutorial Program amp CeUs The conference includes several information-packed tutorials in addition to the papers being presented Attending tutorials along with other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) Continuing Education Units (CEUs) will be issued for participation in the Conference tutorials You must be present for the entire tutorial in order to be granted the CEUs Attendance will be taken at the start of the tutorial after each break and you must be present at the end to collect your certificate CEUs are issued on the basis of 01 CEU per instructional contact hour

Dress Code We want you to feel comfortable while you are attending the 31st ISSC so we advise lsquobusiness casualrsquo attire The awards ceremony which is a part of the Thursday luncheon is a time when many attendees will dress in more formal business attire The Tuesday night Sponsor and Exhibitor social and the Wednesday night off-site event are also business casual dress

Daily news The ISSC Daily News will be available at 730 each morning both at the registration desk and in the SponsorExhibitor area This will announce any room changes schedule changes or other information pertinent to the

proceedings of the conference

spousal Program There are no tours provided by the ISSC for spouses this year However there is an information session to be held on Monday Brochures will be made available along with maps and ideas of attractions to visit If a spouse is unable to make this information session the hotel concierges can answer questions about local attractions how to use the subway available tours or dining suggestions

Wednesday night Off-site event Bus transportation will leave the Marriott Copley Place starting at 600pm and bring attendees to the Museum of Science The ISSC will have the Blue Wing reserved from 630pm to 1030pm and will receive a private lightning demonstration in the Theater of Electricity buffet dinner and a cash bar Spousalguest tickets can be bought at the registration desk up until 24 hours before however to ensure a smoothly-run event we encourage you to purchase extra tickets when you register This is sure to be an event you wonrsquot want to miss

ProgramISSC2013

3

Safety is paramount Thatrsquos why at Lockheed Martin safety is designed into everything we do Our system safety engineers follow proven government

and industry standards plans processes and lessons learned to build the worldrsquos most safe supportable and technologically advanced aircraft

Lockheed Martin is proud to sponsor this yearrsquos International System Safety Conference and applaud their mission to ensure system safety for the long run

wwwlockheedmartincom

ENSURING SAFETY FOR THE LONG RUN

copy 2

013

Lock

heed

Mar

tin C

orpo

ratio

n

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

Boston Marriott Copley plaCe

Presenter PrepLessons LearnedISSC Sta Turn-Over MeetingSpeakerrsquos BreakfastISSC TracksTutorials

Opening CeremonyGeneral MeetingLunchesRegistrationReceptionExhibitor Area

ATRIUMAREA

ELEVATORS

SERVICEELEVATORS

PHONES RESTROOMS

RESTROOMS

WOMEN

WOMEN

MEN

MEN

FOYER OPEN TO2ND FLOOR

RESTAURANT

ESCALATORS3RD FLOOR

ATRIUMLOUNGE

3RD FLOORATRIUM

FAIRFIELD

GLOUCESTER

EXETERDARTMOUTH

CLARENDON

BACK BAY CONFERENCE AND EXHIBITION CENTER NORTHEASTERN

SIMMONS BOSTON UNIV

BRANDIES

WELLESLEY

SUFFOLK

TUFTS REGIS

BERKELEY HARVARD

ARLINGTON MIT

OFFICE B

ESCALATORS

OFFICE A

ATRIUMFOYER

ATRIUMAREA

ELEVATORS

SERVICEELEVATORS

NANTUCKET

PROVINCETOWN HYANNIS

YARMOUTH

VINEYARD

FALMOUTHORLEANS

RESTROOMSWOMEN MEN

SALON H SALON I

SALON G SALON F SALON E

BALLROOM FOYER

REGISTRATION

SALON A SALON B

SALON CSALON D

SALON K SALON J

FOURTH FLOOR

THIRD FLOOR

2

ProgramISSC2013

1

Organizing COmmittee

COntentsGeneral Information 2Greetings 5Speakers 10Schedule 12Tutorials 21Panel DiscussionsForums 26Workshops 26Paper Presentations 30Special Functions 50About the System Safety Society 52

Conference ChairPam Alte

Co-Chair Cliff Parizo

Technical Program Co-ChairsGary Braman Norman Gauthier

SponsorExhibitor ChairLindsey Eirich

International Chair Bob Fletcher

Financial ChairCathy Carter

Off-Site Events Alan Oliver

Webmaster Don Swallom

Logistics Equipment Richard Anderson

PublishingHeather French

CEU CreditRod Simmons

32nd ISSC LiaisonPam Kniess

The following volunteers contributed to the success of the conference

Pam Alte 31th ISSC Chair

2

general infOrmatiOnregistration Desk All 31st ISSC attendees including sponsors and exhibitors must register at the registration desk located on the 4th Floor Registered attendees will receive badges which should be displayed while in any ISSC area (including luncheons) Once a badge is issued it is the responsibility of the registrant to ensure that it is not lost Sponsors may change the names on their badges as often as they want but the old one must be turned in to receive a new name

special events Spouses or exhibitors may purchase tickets for luncheons or the off-site event at the registration desk up to 24hrs prior to the event Tickets for the Wednesday night off-site event at the Museum of Science will be $9000 for adults or $5500 for children Tickets to the luncheons on Tuesday Wednesday and Thursday are $4500lunch for any attendee Spouses and guests are welcome to attend the Tuesday evening Sponsors and Exhibitor social free of charge

internet Internet will not be provided in the conference locations However should you require internet access during the conference there is complimentary wireless available in the lobby and other public areas There are also internet options available to each guest in their room

transportation The Marriott Copley Place is located 32 miles away from the airport The subway cost (one way) is $250 and the estimated taxi cost is $3500 While rental cars are

available parking costs in Boston tend to be pricey Alternative means of getting around include taxis the subway or walking

tutorial Program amp CeUs The conference includes several information-packed tutorials in addition to the papers being presented Attending tutorials along with other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) Continuing Education Units (CEUs) will be issued for participation in the Conference tutorials You must be present for the entire tutorial in order to be granted the CEUs Attendance will be taken at the start of the tutorial after each break and you must be present at the end to collect your certificate CEUs are issued on the basis of 01 CEU per instructional contact hour

Dress Code We want you to feel comfortable while you are attending the 31st ISSC so we advise lsquobusiness casualrsquo attire The awards ceremony which is a part of the Thursday luncheon is a time when many attendees will dress in more formal business attire The Tuesday night Sponsor and Exhibitor social and the Wednesday night off-site event are also business casual dress

Daily news The ISSC Daily News will be available at 730 each morning both at the registration desk and in the SponsorExhibitor area This will announce any room changes schedule changes or other information pertinent to the

proceedings of the conference

spousal Program There are no tours provided by the ISSC for spouses this year However there is an information session to be held on Monday Brochures will be made available along with maps and ideas of attractions to visit If a spouse is unable to make this information session the hotel concierges can answer questions about local attractions how to use the subway available tours or dining suggestions

Wednesday night Off-site event Bus transportation will leave the Marriott Copley Place starting at 600pm and bring attendees to the Museum of Science The ISSC will have the Blue Wing reserved from 630pm to 1030pm and will receive a private lightning demonstration in the Theater of Electricity buffet dinner and a cash bar Spousalguest tickets can be bought at the registration desk up until 24 hours before however to ensure a smoothly-run event we encourage you to purchase extra tickets when you register This is sure to be an event you wonrsquot want to miss

ProgramISSC2013

3

Safety is paramount Thatrsquos why at Lockheed Martin safety is designed into everything we do Our system safety engineers follow proven government

and industry standards plans processes and lessons learned to build the worldrsquos most safe supportable and technologically advanced aircraft

Lockheed Martin is proud to sponsor this yearrsquos International System Safety Conference and applaud their mission to ensure system safety for the long run

wwwlockheedmartincom

ENSURING SAFETY FOR THE LONG RUN

copy 2

013

Lock

heed

Mar

tin C

orpo

ratio

n

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

1

Organizing COmmittee

COntentsGeneral Information 2Greetings 5Speakers 10Schedule 12Tutorials 21Panel DiscussionsForums 26Workshops 26Paper Presentations 30Special Functions 50About the System Safety Society 52

Conference ChairPam Alte

Co-Chair Cliff Parizo

Technical Program Co-ChairsGary Braman Norman Gauthier

SponsorExhibitor ChairLindsey Eirich

International Chair Bob Fletcher

Financial ChairCathy Carter

Off-Site Events Alan Oliver

Webmaster Don Swallom

Logistics Equipment Richard Anderson

PublishingHeather French

CEU CreditRod Simmons

32nd ISSC LiaisonPam Kniess

The following volunteers contributed to the success of the conference

Pam Alte 31th ISSC Chair

2

general infOrmatiOnregistration Desk All 31st ISSC attendees including sponsors and exhibitors must register at the registration desk located on the 4th Floor Registered attendees will receive badges which should be displayed while in any ISSC area (including luncheons) Once a badge is issued it is the responsibility of the registrant to ensure that it is not lost Sponsors may change the names on their badges as often as they want but the old one must be turned in to receive a new name

special events Spouses or exhibitors may purchase tickets for luncheons or the off-site event at the registration desk up to 24hrs prior to the event Tickets for the Wednesday night off-site event at the Museum of Science will be $9000 for adults or $5500 for children Tickets to the luncheons on Tuesday Wednesday and Thursday are $4500lunch for any attendee Spouses and guests are welcome to attend the Tuesday evening Sponsors and Exhibitor social free of charge

internet Internet will not be provided in the conference locations However should you require internet access during the conference there is complimentary wireless available in the lobby and other public areas There are also internet options available to each guest in their room

transportation The Marriott Copley Place is located 32 miles away from the airport The subway cost (one way) is $250 and the estimated taxi cost is $3500 While rental cars are

available parking costs in Boston tend to be pricey Alternative means of getting around include taxis the subway or walking

tutorial Program amp CeUs The conference includes several information-packed tutorials in addition to the papers being presented Attending tutorials along with other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) Continuing Education Units (CEUs) will be issued for participation in the Conference tutorials You must be present for the entire tutorial in order to be granted the CEUs Attendance will be taken at the start of the tutorial after each break and you must be present at the end to collect your certificate CEUs are issued on the basis of 01 CEU per instructional contact hour

Dress Code We want you to feel comfortable while you are attending the 31st ISSC so we advise lsquobusiness casualrsquo attire The awards ceremony which is a part of the Thursday luncheon is a time when many attendees will dress in more formal business attire The Tuesday night Sponsor and Exhibitor social and the Wednesday night off-site event are also business casual dress

Daily news The ISSC Daily News will be available at 730 each morning both at the registration desk and in the SponsorExhibitor area This will announce any room changes schedule changes or other information pertinent to the

proceedings of the conference

spousal Program There are no tours provided by the ISSC for spouses this year However there is an information session to be held on Monday Brochures will be made available along with maps and ideas of attractions to visit If a spouse is unable to make this information session the hotel concierges can answer questions about local attractions how to use the subway available tours or dining suggestions

Wednesday night Off-site event Bus transportation will leave the Marriott Copley Place starting at 600pm and bring attendees to the Museum of Science The ISSC will have the Blue Wing reserved from 630pm to 1030pm and will receive a private lightning demonstration in the Theater of Electricity buffet dinner and a cash bar Spousalguest tickets can be bought at the registration desk up until 24 hours before however to ensure a smoothly-run event we encourage you to purchase extra tickets when you register This is sure to be an event you wonrsquot want to miss

ProgramISSC2013

3

Safety is paramount Thatrsquos why at Lockheed Martin safety is designed into everything we do Our system safety engineers follow proven government

and industry standards plans processes and lessons learned to build the worldrsquos most safe supportable and technologically advanced aircraft

Lockheed Martin is proud to sponsor this yearrsquos International System Safety Conference and applaud their mission to ensure system safety for the long run

wwwlockheedmartincom

ENSURING SAFETY FOR THE LONG RUN

copy 2

013

Lock

heed

Mar

tin C

orpo

ratio

n

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

2

general infOrmatiOnregistration Desk All 31st ISSC attendees including sponsors and exhibitors must register at the registration desk located on the 4th Floor Registered attendees will receive badges which should be displayed while in any ISSC area (including luncheons) Once a badge is issued it is the responsibility of the registrant to ensure that it is not lost Sponsors may change the names on their badges as often as they want but the old one must be turned in to receive a new name

special events Spouses or exhibitors may purchase tickets for luncheons or the off-site event at the registration desk up to 24hrs prior to the event Tickets for the Wednesday night off-site event at the Museum of Science will be $9000 for adults or $5500 for children Tickets to the luncheons on Tuesday Wednesday and Thursday are $4500lunch for any attendee Spouses and guests are welcome to attend the Tuesday evening Sponsors and Exhibitor social free of charge

internet Internet will not be provided in the conference locations However should you require internet access during the conference there is complimentary wireless available in the lobby and other public areas There are also internet options available to each guest in their room

transportation The Marriott Copley Place is located 32 miles away from the airport The subway cost (one way) is $250 and the estimated taxi cost is $3500 While rental cars are

available parking costs in Boston tend to be pricey Alternative means of getting around include taxis the subway or walking

tutorial Program amp CeUs The conference includes several information-packed tutorials in addition to the papers being presented Attending tutorials along with other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) Continuing Education Units (CEUs) will be issued for participation in the Conference tutorials You must be present for the entire tutorial in order to be granted the CEUs Attendance will be taken at the start of the tutorial after each break and you must be present at the end to collect your certificate CEUs are issued on the basis of 01 CEU per instructional contact hour

Dress Code We want you to feel comfortable while you are attending the 31st ISSC so we advise lsquobusiness casualrsquo attire The awards ceremony which is a part of the Thursday luncheon is a time when many attendees will dress in more formal business attire The Tuesday night Sponsor and Exhibitor social and the Wednesday night off-site event are also business casual dress

Daily news The ISSC Daily News will be available at 730 each morning both at the registration desk and in the SponsorExhibitor area This will announce any room changes schedule changes or other information pertinent to the

proceedings of the conference

spousal Program There are no tours provided by the ISSC for spouses this year However there is an information session to be held on Monday Brochures will be made available along with maps and ideas of attractions to visit If a spouse is unable to make this information session the hotel concierges can answer questions about local attractions how to use the subway available tours or dining suggestions

Wednesday night Off-site event Bus transportation will leave the Marriott Copley Place starting at 600pm and bring attendees to the Museum of Science The ISSC will have the Blue Wing reserved from 630pm to 1030pm and will receive a private lightning demonstration in the Theater of Electricity buffet dinner and a cash bar Spousalguest tickets can be bought at the registration desk up until 24 hours before however to ensure a smoothly-run event we encourage you to purchase extra tickets when you register This is sure to be an event you wonrsquot want to miss

ProgramISSC2013

3

Safety is paramount Thatrsquos why at Lockheed Martin safety is designed into everything we do Our system safety engineers follow proven government

and industry standards plans processes and lessons learned to build the worldrsquos most safe supportable and technologically advanced aircraft

Lockheed Martin is proud to sponsor this yearrsquos International System Safety Conference and applaud their mission to ensure system safety for the long run

wwwlockheedmartincom

ENSURING SAFETY FOR THE LONG RUN

copy 2

013

Lock

heed

Mar

tin C

orpo

ratio

n

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

3

Safety is paramount Thatrsquos why at Lockheed Martin safety is designed into everything we do Our system safety engineers follow proven government

and industry standards plans processes and lessons learned to build the worldrsquos most safe supportable and technologically advanced aircraft

Lockheed Martin is proud to sponsor this yearrsquos International System Safety Conference and applaud their mission to ensure system safety for the long run

wwwlockheedmartincom

ENSURING SAFETY FOR THE LONG RUN

copy 2

013

Lock

heed

Mar

tin C

orpo

ratio

n

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

4

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

5

greetingsFrom the Society PreSidentAs the newly elected Society President I want to welcome you to the 31st International System Safety Conference I have been working in system safety since 1985 and I find this to be a rewarding and exciting career field What I have liked most about the field is the fact that I find every new assignment involves working with new and varied types of systems I love the challenge and I appreciate that I am fortunate to have a job where my work makes a difference in the safety of our systems We as System Safety Professionals have the unique privilege of impacting our society in such a positive way

This year marks the Golden Anniversary of our society and we trust this yearrsquos conference will live up to your expectations We have come a long way since the early days of this society Technology has transitioned from vacuum tubes to liquid crystal displays launching unmanned satellites to commercial space flights computers the size of a room to tablets with more and more capability daily Some of our founding members will be in attendance at this conference and they will be participating in our opening session I know I am looking forward to hearing from them and their unique challenges

I am also looking forward to hearing about the unique challenges we face with the latest in technology in our society The impact of new technology on society and the motivation to trust more of our safety critical applications to the latest in todayrsquos innovations creates ever steeper challenges for us This conference helps us to meet the challenge We have outstanding technical sessions world leading safety professionals in attendance opportunities to network and opportunities to find solutions to our every day safety dilemmas

Our Conference Chair Pam Alte and her team have done an outstanding job in putting together this conference We have a number of interesting technical tracks at this conference Our speakers include some of the biggest names in the field Our sponsors are among the best in the industry and clearly we value their contributions to making our world a safer place

So thank you for coming to this conference I hope you are looking forward to the opportunities we have in the coming week as much as I am

Robert A Schmedake President System Safety Society

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

6

Protecting your most valuable assets

System Safety Engineering amp Analysis

Mission Assurance

Range Safety

Test Planning

Explosives Safety

Software System Safety

Industrial Engineering

Quality Engineering

Reliability Engineering

Software Development amp Modeling

Independent Risk Assessments

Standards Development

Training

w w wapt- researchcom

A-P-T Research Inc4950 Research DriveHuntsville Alabama 35805

Phone 2563273373Fax 2568377786wwwapt-researchcom

Founded in 1990 APT (Analysis Planning Test) is an employee-owned small business located in Cummings Research Park near Redstone Arsenal in Huntsville Alabama Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction

Photo Missile Defense Agency

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

7

greetingsFrom the chaPter PreSidentHere ye here ye welcome to Boston for the 31st International System Safety Conference Boston is the largest city in New England and one of the oldest in the United States No hiding in your hotel ndash get out and enjoy the cityrsquos history where key events of the American Revolution took place including the Boston Massacre and the Boston Tea Party For fun and entertainment visit the Samuel Adams brewery and Bull amp Finch pub (from Cheers) We are all Red Sox fans this week so feel free to visit Fenway Park or view the city from atop the John Hancock or Prudential buildings Boston has a red brick trail through the city that leads you past many of the historical locations ndash itrsquos called the Freedom Trail Walking this path brings you from the Boston Common past locations including Granary Burying Ground Boston Massacre site Faneuil Hall Paul Reverersquos house Old North Church and then across the Charles River to the Bunker Hill Monument and USS Constitution

The Northeast Chapter and SSS Executive Committee (EC) have worked hard with this yearrsquos Conference Chair Pam Alte If you run into Pam make sure you stop and thank her for the volunteer hours and effort she has poured into this conference The economy is providing challenges to pull together a successful conference but Pam with the ECrsquos support has been more than up to the task

ldquoSafety For The Long Runrdquo is such a poignant theme for this yearrsquos Boston conference with the Boston Marathon bombings bringing safety to the forefront Other recent events such as aviation train and industrial accidents have sharpened the focus on how critical the safety discipline is in all our lives For the conference we are all challenged to learn something new I ask that all attendees stay engaged with the conference papers and presentations and to promote the system safety discipline

Scott Beecher President Northeast Chapter System Safety Society

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

8

I fly Sikorsky

Because the mission is

never the same

I fly a Sikorsky BLACK HAWK helicopter for

multiple missions Itrsquos dependable and durable

and I have complete confidence in its proven per-

formance Sikorsky not only sets the standard for

rotorcraft excellence and safety they exceed it

Itrsquos evident in everything from the reliable per-

formance of my BLACK HAWK to the way they

support me in the field Therersquos simply no better

helicopter for any requirement whether itrsquos utility

combat search and rescue or firefighting The way

I see it not every pilot gets to fly in a helicopter

this good But they should

Sikorsky

5626 July 2013

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

9

greetingsFrom the conFerence chairOn behalf of the entire ISSC planning committee I would like to extend a warm welcome to you We have worked hard to make this conference a world-class success Whether this is your first visit to Boston or you have been here before I hope you get a chance to relax and enjoy our beautiful New England city Boston has something for everyone from historical sites to exciting downtown locations sports arenas and fabulous shopping Our off-site event will be held in the Museum of Science complete with Wolfgang Puck catering and our own private Lightning Show

The System Safety Society is proud to host an annual conference that provides practitioners from different industries a chance to get together network and learn from each other Unfortunately the US budget sequestration restricted travel for Government workers so our numbers are down this year I would like to assure all attendees that although this yearrsquos conference will be smaller than previous years the standards to which we held our papers and tutorials were not lowered You can expect top notch presentations

The theme for this yearrsquos conference Safety for the Long Run picks up on a number of parallels between the types of things one might do to prepare for a marathon race and elements of an effective system safety program These include the importance of proper training having a well thought out plan getting off to a good start avoiding obstacles and distractions and keeping enough in reserve for a successful sprint to the finish I think you will agree that this yearrsquos conference will help prepare you well

One of our objectives was to try to attract more young people who could especially benefit from the knowledge and experience of many of the Societyrsquos ldquogrey beardsrdquo We will have several student members in attendance and I hope you will join me in making them feel welcome I am also pleased to announce this year we will have a new track lifecycle safety These papers will discuss system safety as it moves past the development stage which is where the majority of our previous discussions have stopped In addition to our many papers and tutorials being offered there is the potential for ldquoJust in Timerdquo sessions to be held A board for suggesting topics you would like to have added to discussions will be located at the registration desk or you can coordinate with Norm Gauthier one of our Technical Co-Chairs

We wish you an enjoyable and enlightening conference experience Should there be anything you require to make your conference experience better please donrsquot hesitate to reach out to me Cliff Parizo or any of the other Conference Committee volunteers

Again enjoy your visit and thank you for your support by being here I would also like to send a big thank you to those who helped plan this conference our sponsors amp exhibitors and especially to Sikorsky Aircraft for partnering with us to make this conference a reality

Sincerely Pam Alte 31st ISSC Conference Chair

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

10

sPeakersrex B Gordon mPh Pe cSP Fellow member emeritus opening ceremonies 50th celebration Speaker

Rex Gordon is a 50 year Charter Member and current Historian of the System Safety Society He is a past President and Editor of the Journal He served as Chairman of the 2nd ISSC and both the Northeast and Southern California Chapters He has represented the Society on the boards of the Reliability and Maintainability Symposium (RAMS) and Certified Safety Professionals (CSP) He is a Chapter Member and past Chairman of the Government Electronic Industries Association (GEIA) G-48 System Safety Committee He has co-authored two text books and over 15 published papers He has lectured at the George Washington University and USC He has represented the Society at functions held in the White House the Pentagon in Germany Holland and Paris

His is retired after 40 years of employment as a System Safety Engineering Specialist Manager and Consultant He currently lives with his wife of 61 years in Fallbrook CA

James P Keller Jr mS ecri institute Keynote Speaker As Vice President Health Technology Evaluation and Safety James Keller directs ECRI Institutersquos internationally recognized Health Devices Evaluation Program that provides independent judgment and guidance to help hospitals and health systems select and manage medical devices The program was referred to by the New York Times as the ldquocountryrsquos most respected laboratory for testing of medical productsrdquo He serves as a member of ECRI Institutersquos Executive Committee which is responsible for overall governance of ECRI Institute operations

Mr Keller is also responsible for the Health Devices Alerts notification service for medical product hazards and recalls Alerts Tracker a web-based tool for managing hazards and recalls of medical products Biomedical Benchmark a resource to help hospitals manage their medical equipment service activities an annual series of interactive webinars on health technology issues and the International Medical Device Problem Reporting System

Mr Keller is a recognized expert and frequently invited speaker on a wide range of health technology-related topics including patient safety equipment management strategic planning and forecasting device utilization nomenclature and asset management and the convergence of medical devices and information systems He is a regular contributor to ECRI Institutersquos Patient Safety Blog and is routinely sought out by the news media for his expertise on a variety of health technology concerns

Mr Keller is President of the board for the American College of Clinical Engineering and is a member of the board for the Health Technology Foundation He joined ECRI Institute in 1984 after completing a Master of Science degree in biological engineering from the University of Connecticut and a Bachelor of Science degree in zoology from the University of Massachusetts

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

11

dr nancy Leveson massachusetts institute of technology Sponsor amp exhibitor Luncheon Speaker

Dr Leveson holds a PhD from UCLA She was a Computer Science professor at the University of California then became Boeing Professor of Computer Science and Engineering at the University of Washington

Professor Levesonrsquos research focuses on topics related to the design of complex systems containing software hardware and human components Her goal is to stretch current limits of complexity and intellectual manageability of the systems we can build with reasonable resources and with confidence in their expected behavior particularly safety Current research topics include model-based system and software engineering system and software safety software requirements specification and analysis human-computer interaction reusable component-based system architectures interactive visualization human-centered system design and comprehensive approaches to risk management that include the organizational political managerial and social aspects of system construction and operation New work is starting in

security Current applications include space aircraft autos rail systems nuclear power medical devices hospital safety defense systems and others

dr John mcdermid the University of york UK international Luncheon SpeakerProfessor John A McDermid has been Professor of Software Engineering at the University of York since 1987 where he runs the High Integrity Systems Engineering (HISE) research group Also he was Head of the Department of Computer Science from 2006 to 2012 The HISE research group studies a broad range of issues mainly in systems software and safety engineering and works closely with the UK aerospace industry but has worked in a number of domains including automotive medical and railways

In 2010 he was appointed a Consulting Professor at Beijing Jiaotong University (BJTU) and now runs a collaborative research programme in railway safety with BJTU known as the Railway Safety Technology Research Centre (RSTRC) He has extensive experience as a consultant including advising the Ministry of Defence (MoD) on the development of DS 00-56 Issues 3 and 4 He is a member of the UK Defence Scientific Advisory Council He is author or editor of six books and has published approximately 360 papers

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

12

sCheDUle monday 12 aUGUSt4th Floor 800 - 500 RegistrationSimmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Salons A-E Berkley Clarendon800 - 850

Hazard Analysis (Barondes)

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied ModelsWind Schedl Floetzer

Ground Transportation (Millin)

Achieving Safety Confidence of a Large Scale System Product and its ApplicationsShi

900 - 950

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesRainey

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemZhou Zhao

1030 - 1120

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentJaradat Graydon Bate

Are We Ready for Driverless CarsWest

Lunch Break Salons A-E

130 - 220

Opening Ceremonies General Session

Opening Ceremonies 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus Keynote Speaker James P Keller Jr MS ECRI Institute

230 - 320

400 - 450

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

13

Exeter Fairfield Wellesley800 - 850

Tutorial

Hands-On System Safety Basics Focused On FHA Winkelbauer Schedl (3 hrs)

Tutorial

Introduction to Fault Tree Analysis Using CAFTA Software Roy (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

230 - 320

400 - 450

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

14

sCheDUle tUeSday 13 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo Breakfast Regis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Tutorial

A Tutorial on STPA A New More Powerful Hazard Analysis Technique Leveson Thomas (6 hrs)

HazardRisk Management (Parizo)

Safety is not an OptionParizo Daugherty

Workplace Safety (Kondreck)

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chefrsquos Uniforms Against Thermal Hazards in the KitchenZhang Batcheller McQueen

Open Forum (Fletcher)

Developing Global System Safety Perspectives

900 - 950

National Aerospace Standard 411 UpdateSheehan

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesFischer Yankaskas Page

1030 - 1120

Linear Integrated Safety Analyses (LISA)Grant Muhammad

System Safety Design for Safe Operation of RadarsBartos

Sponsor amp Exhibitor Luncheon Salons A-E Guest Speaker Dr Nancy Leveson Massachusetts Institute of TechnologyMenu New England Clam Chowder Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine ReductionKey Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit130 - 220

Tutorial (continued)

Software Engineering (Mikula)

Dependability Techniques Applied to Space Software - A Research Project ReportLahoz Abdala

Aerospace Safety (Kraemer)

Systems-Based Approach to Flight Safety Management in AirlinesChi Xu Qi Shao

Software Safety (Schmedake)

Safety andvs Security Towards a System Engineering Approach for TrustSchoitsch

230 - 320

The Principles of Software Safety AssuranceHawkins Habli Kelly

Use of Master Minimum Equipment List (MMEL) To Ensure Safe DispatchDurmaz

Anatomy of a Safety Critical Software FunctionChurch

400 - 450

Formal Modelling in the Development of Dependable SystemsTroubitsyna

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsCampbell

Software Risk The Third Rail of Safety AnalysisHildreth Elcock

630 - 830

Sponsor amp Exhibitor Reception Gloucester Room

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

15

Exeter Fairfield Suffolk Wellesley

800 - 850

Workshop

ISO 26262-Style Risk Assessment Joyce (3 hrs)

Tutorial

Assurance Cases As Means of Evidence Based Developed of Critical Systems Despotou (3 hrs)

Tutorial

Practical Generation of Safety Cases With the Help of GSN Gerstinger Schedl (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Workshop

Application of System Safety Methods to Systems of Systems Joyce Debouk Vergara (3 hrs)

Workshop

Advancing Safety By Reducing Errors A Fresh Approach Autrey (3 hrs)

Tutorial

Improving Safety Management by Using a Risk Management Policy in Your Daily Operations Fitzgerald (3 hrs)

Committee amp Group Meetings (continued)

230 - 320

400 - 450

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

16

sCheDUle WedneSday 14 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Arlington Berkley Clarendon Dartmouth800 - 850

Human Factors (Robins)

ASL ndash Affective Safety LeadershipRamsing

Public Safety (Fletcher)

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZeng Luo Tian

Lifecycle Safety (Swallom)

Maintenance Hazard AnalysisTan

900 - 950

Exxon Valdez Human Error Plain and SimpleBarondes

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityZheleznov

Development of a System Safety Case for Automotive ElectricElectronic SystemsSundaram Hartfelder

1030 - 1120

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsVernacchia Green Llaneras

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety ofPopulation TransportationSmirnov Yurkov Syagin Koshina

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesLaabs Allison Russell

International Luncheon Salons A-E Guest Speaker Dr John McDermid The University of York UKMenu Asian Inspired Salad Teriyaki Chicken Coconut Rice Seared Bok Choy Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce130 - 220

Workshop

The Evolution of the UK Defence Safety StandardsMcDermid

Safety Topics (Gauthier)

Introducing Safety Assurance Influenced Design of Health IT SystemsDespotou Luckcuck Kelly Jones

Risk Assessment (Karedes)

Quantitative Risk Assessment in Aviation Safety Risk ManagementHewitt Pham

Tutorial

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking System Behnke Damstra Villhauer (2 hrs)230 -

320How Complex Systems Fail-I Decomposition of the Failure HistogramZito

400 - 450600 - 1000

Wolfgang Puck Dinner and Lightning Show at the Museum of Science

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

17

Exeter Fairfield Suffolk Wellesley

800 - 850

Human Factors II (Flint)

Development of Education Program Integrating Flight Safety and Psychological StressLiu Wang Liu Bai Guo

Tutorial

Why You Should Care About the ldquo-Ilitiesrdquo Southwick (3 hrs)

G-48 Meeting

West (6 hrs)

Committee amp Group Meetings

900 - 950

Research on Evaluation Index and Method of CRM Dynamic TrainingWang Liu Bai Liu Guo Guo

1030 - 1120

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsGarvey Joglar Collins

130 - 220

Tutorial

Where Hard Meets SOFT Human Factors Role In System Safety Engineering Brisbois (2 hrs)

Workshop

Aircraft Fire amp Explosion ndash How Safe are the Friendly SkiesMoussa

G-48 Meeting (continued)

Tutorial

Using Risk Profiles for Safety Management of Large Scale Operations Fitzgerald (3 hrs)

230 - 320

400 - 450

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

18

sCheDUle thUrSday 15 aUGUSt4th Floor 800 - 500 Registration Simmons Room 630 - 800 Speakersrsquo BreakfastRegis Room 800 - 500 Presenter Prep

Berkley Clarendon Dartmouth800 - 850

Space Systems (Durmaz)

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyDang Moran Jackson

Weapons Safety (Southwick)

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeAlborzi

Hazard Identification (Oliver)

Closing the Gaps in System Safety CoverageSiow

900 - 950

Tailoring of MIL-STD-882E for Space Systems AcquisitionsMcDougall Jackson

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsAdams Tomasello

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsMyklebust

1030 - 1120

Cryogenic Safety for Space Launch Vehicles During Ground OperationsIyengar

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsPham Sivapragasam

Design With Safety EyeErdem Aydin

Awards Luncheon Salons A-E Menu Ceaser Salad Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce White Chocolate and Blood Orange Torte130 - 220

Aerospace Software (Beecher)

Making the Implicit Explicit Towards an Assurance Case for DO-178CHolloway

Public Safety II (Laabs)

Integrating System Safety and Emergency ManagementHardy

HazardRisk Management II (Kniess)

Towards Automatic Verification of Safety Properties in AADL System ModelsBjoumlrnander Graydon Land

230 - 320

Uncertainty and Confidence in Safety LogicGraydon

Safety in Deepwater Well Containment OperationsRobins

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsAllison Jerdak

400 - 450

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemYang Xie Yousefi

A Taxonomic Analysis On Chinese Special Equipments ldquoYinhuanrdquo in SupervisionFan Luo Lu

Leading Indicators in Aviation OperationsFletcher Dokas

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

19

Exeter Fairfield Suffolk Wellesley800 - 850

Tutorial

Conceive of Modeling On Operation Mechanism of Public Safety Standardization Luo Huang (6 hrs)

Panel

G-48 Pressing Issues Facing System SafetyWest (3 hrs)

Committee amp Group Meetings

900 - 950

1030 - 1120

130 - 220

Tutorial (continued) Committee amp Group Meetings (continued)

230 - 320

400 - 450

Friday 16 aUGUStSimmons Room 630 - 800 Speakersrsquo Breakfast

Clarendon Dartmouth Regis800 - 850 Workshop

Process Safety Culture Best PracticesPearlman (2 hrs)

Best Paper 1 Lessons Learned amp ISSC Staff Turn-over Meeting850 - 930 Best Paper 2

1000 - 10401050 - 1130

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

20

3 2 1 SAFETYSystem safety is paramount It impacts our products employees technicians and

maintenance personnel And safety is no accident ndash it is designed into everything we do We are proud to sponsor this yearrsquos International System Safety Conference and

their mission to think outside the box when it comes to the best processes methods and techniques Wersquore committed to delivering innovative ideas and solutions that

help connect protect and explore our universe

wwwlockheedmartincomssc

copy 2

012

Lock

heed

Mar

tin C

orpo

ratio

n

307-64315_TurningVisions_ISSCindd 1 71612 501 PM

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

21

tUtOrialsThe conference organizers have an information-packed tutorial program planned in conjunction with the 31st ISSC Attending tutorials as well as other elements of the Technical Program at the 31st ISSC meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) The University of Cincinnati will issue Continuing Education Units (CEUs) for participation in the conference tutorials CEUs are issued on the basis of 01 CEU per instructional contact hour You must be present for at least 90 of the tutorial to receive CEUs and a tutorial completion certificate Your attendance is verified via the process outlined below

At the start of the tutorial yoursquoll clearly print your name in the attendance form exactly as you want it bull to appear on the certificate After returning from each break during the tutorial (morning lunch andor afternoon) yoursquoll initial bull the attendance form You must be present at the end of the tutorial to receive your certificate and the CEUs bull

If there are misspellings on the CEU certificates please mark the corrections give back to the instructor or leave at the registration desk

Monday 08middot12middot13 800-1130 ExEtEr tutorial 03 CEu

Hands-On System Safety Basics Focused on FHAInstructors Werner Winkelbauer Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaAn overview of a generic safety process best suited for small to medium sized projects in relation to the project lifecycle is given For each major project phase the respective safety process phase safety objectives necessary in- and outputs are detailed Some state-of-the-art analysis techniques are explained Special emphasis is placed on the Functional Hazard Assessment where a practical guidance for a Functional Failure Modes and Effects Analysis is presented

The content of this tutorial is based on experience from an international working company

Objective Basic understanding of a safety process and the practical implementation of a Functional Failure Modes and Effects Analysis

Monday 08middot12middot13 800-1130 FairFiEld tutorial 03 CEu

Introduction to Fault Tree Analysis Using CAFTA SoftwareInstructors Jean Francois Roy Nuclear DivisionRisk amp Safety Management Group Electric Power Research Institute Palo Alto CA USAThis tutorial will introduce Fault Tree Analysis using CAFTA Software Attendees will be first reviewing fault tree methodology and terminology Construction of a fault tree model in CAFTA will then follow a brief review of CAFTArsquos components and symbol types In constructing the Fault Tree model topics covered will include projects navigation editing shortcuts and how to add probabilities An overview of basic event probability formulas type codes and variables will be included as well as printing and quantification processes

tuEsday 08middot13middot13 800-500 arlington tutorial 06 CEu

A Tutorial on STPA A New More Powerful Hazard Analysis TechniqueInstructors Nancy G Leveson PhD John Thomas PhD Aeronautics and Astronautics MIT (Massachusetts Institute of Technology) Cambridge MA USASTAMP is a new accident causality model that expands on the old models in order to handle the increased complexity software and changing human roles in todayrsquos systems Using STAMP as a foundation new

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

22

tools have been built for hazard analysis (STPA) accident analysis (CAST) organizational risk analysis and risk management etc This tutorial will concentrate on STPA The tutorial will start with a brief introduction to STAMP and the systems approach to safety engineering The rest of the time will be devoted to learning STPA and doing exercises Students are encouraged to bring problems from their own research domains so that they can try this analysis method on something very relevant to their work

STPA is being used successfully in most every industry Several groups have evaluated STPA empirically by comparing the results with standard hazard analysis techniques In all cases STPA found all the hazard scenarios found by the other methods but also found additional ones involving software human errors and unsafe interactions among system components In a couple cases where STPA and the other methods were applied to a design in which an accident had occurred (without telling the analysts) STPA was the only method that found the real accident scenario

By the end of the tutorial attendees will be able to apply STPA to a system in their field of expertise

tuEsday 08middot13middot13 800-1130 FairFiEld tutorial 03 CEu

Assurance Cases as Means of Evidence Based Developed of Critical SystemsInstructors George Despotou BEng MSc PhD CEng Department of Computer Science University of York York United KingdomOften developers have the onus to defend a position (ie make a case) about the safety of their system This usually involves an explanation of how the available information for a system supports the claim that risks in a system have been acceptably managed

Safety cases have been used in the safety domain for a number of years mostly in the defence aerospace and energy domains Their usefulness as a tool to improving safety has been appreciated by many practitioners and development of a safety is a requirement in many standards This has resulted in the core concepts of safety cases to be transferred to other domains (eg automotive) and their focus on other system attributes (eg security cases) Recently the term assurance case has been introduced which encompasses not only safety but other relevant critical aspects of a system such as security

A case exists to communicate an argument It is used to demonstrate how someone can reasonably conclude that a system is acceptably safe from the evidence available A case is a device for communicating ideas and information usually to a third party (eg a regulator) In order to do this convincingly it must be as clear as possible Safety case definition may bear differences in different domains but all definitions converge to a set of characteristics

Development of a (safety) case is a requirement in many standards However the usefulness of the safety case has been appreciated in the industry and is used by many organisations as good practice The reason for this is that explicitly capturing all reasoning and information (about the supported position) such as assumptions and evidence facilitates assessing the fitness of the design to meet its (safety) objectives A manufacturer will design a system aiming to achieve the required operational attributes However what is intended is not often what achieved Once the reasoning of the developers is explicitly documented as claim and argument supported by evidence the gap between what was intended and what achieved becomes more apparent

Explicitly documenting a case will contribute towards the factual representation of the system revealing which claims can be supported by evidence and which remain intention (for example because there is no sufficient evidence to support them) This may not necessarily imply that the latter claims have not been implemented but that we are unaware about their achievement as they are not sufficiently supported There can be three reasons as to why a claim is not sufficiently supported a) there is not sufficient evidence to warrant the claim b) although there is evidence there is inadequate explanation (a problematic argument structure) as to how the evidence supports the claim and c) the claim was phrased in a way that is unsupportable

The tutorial describes the basic concepts of assurance and safety cases (including recent OMG standards) will explain the main challenges in developing an assurance case their relationship to safety standards

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

23

(safety cases and standards serve different purpose and should be seen as complementary) and present best practice (and misconceptions) regarding assurance cases

tuEsday 08middot13middot13 800-1130 suFFolk tutorial 03 CEu

Practical Generation of Safety Cases with the Help of GSNInstructors Andreas Gerstinger Gabriele Schedl Safety Management Department Frequentis AG Vienna 1100 AustriaThis tutorial will introduce you to the concept of safety cases Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment Several standards require the production of such safety cases as a prerequisite for approval The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases the Goal Structuring Notation (GSN) There will be practical examples which need to be solved by the attendees so that hands-on practice and experience is gained

Detailed outline of the tutorial

Introduction (1h) The tutorial will start with a survey of current safety standards (IEC 61508 ISO 26262 EN 50128 DO-178C) and analyse their views and requirements regarding safety cases We will then delve into the nature of safety cases briefly touch their historical origins and clearly consider what can and what canrsquot be expected from a safety case Based on our practical experience we will also highlight some typical bad practices when constructing safety cases This helps to correctly and critically read them and is also a helpful guideline for reviewing other safety documentation This part of the tutorial is largely a presentation

Goal Structuring Notation (45min) We will now introduce the main elements of the Goal Structuring Notation (GSN) which is a helpful tool to document safety cases The presentation of the notation will be interleaved with brief examples exercises and questions so that attendees have the chance to fully understand the meaning and purpose of the various symbols A structured method how to proceed when drafting safety cases will also be presented Hence this part of the tutorial is much more interactive requiring active participation of attendees

Case Study (45min) A realistic case study will then be handed out It is expected to be solved as a group work (groups of 3-5 people are expected) The task of the groups will be to draft and present a sound safety argument for a given claim that the system in the case study is acceptably safe for a specific application in a given environment GSN shall be used as a notation for this purpose At the end the groups present their solutions and the advantagesdisadvantages of the presented solutions are discussed This part of the tutorial is a group work

Concluding Remarks (30min) Finally we will bring some concluding remarks consisting of hints how to avoid common errors and fallacies in safety cases show some examples of real-world safety cases and a we will finish with a personal conclusion

tuEsday 08middot13middot13 130-500 suFFolk tutorial 03 CEu

Improving Safety Management by Using a Risk Management Policy in Your Daily OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThe focus of the tutorial is the use of risk assessment and risk management in the (non-technical) occupational safety and health profession Domain of Interest HazardRisk Management or Workplace Safety

First hour Review the basics of the various components of risk and types of risk assessments Stress that the safety and health professional needs to understand risk is more than a simple subjective measure of severity and frequency

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

24

Second hour Demonstrate how to make risk assessment into a powerful management tool by customizing the assessment of risk for use in a company industry Also provide insights on how to ldquosellrdquo a risk management policyprogram within a company

Third hour A discussion of how to use the risk management as a tool to aid you in your daily office or program management responsibilities the planning organizing staffing leading and controlling of a safety program Embedded in the discussion is how risk can provide a measure of the success of an occupational safety and health program

WEdnEsday 08middot14middot13 800-1130 FairFiEld tutorial 03 CEu

Why You Should Care About the ldquo-IlitiesrdquoInstructors Alan E Southwick BSEE MME MBA CSP CQE CRE Whole Life Engineering Directorate Raytheon Company Integrated Defense Systems Portsmouth RI USATopic addresses the interrelationships developed from Quality Quality Control and Quality Engineering pursuing Specialty Engineering Roles and Relationships including Reliability Maintainability Supportability Human Factors Safety and Security (Information Assurance) from an overview perspective The tutorial is designed to be somewhat interactive presenting examples and questions to the audience related to the various topics discussed thereby engaging and providing participants with insights to the various disciplines and how they relate within ldquoSpecialty Engineeringrdquo

WEdnEsday 08middot14middot13 130-330 dartMouth tutorial 02 CEu

Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking SystemInstructors Tim R Behnke BSEE John Damstra BS Mathematical Sciences and Eric D Villhauer BS Aerospace Eng BA Economics Specialty Engineering General Atomics Aeronautical Poway CA USAThe presenters share their implementation of a hazard analysis that integrates the civil aviation approach to safety analysis per SAE ARP 4761 and the defense approach to safety analysis per MIL-STD-882E along with their implementation of the associated hazard tracking system in DOORS

Introductions - Behnke - 5 mins bull Need for System - Behnke - 5 mins bull Groundwork (historical) - Behnke - 10 mins bull Development - Damstra - 30 Mins bull

i Modules ii Attributes iii DXLs iv Views v Exports

Usage - Villhauer - 30 mins bull Questions - All - 10 mins bull

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

25

WEdnEsday 08middot14middot13 130-330 ExEtEr tutorial 02 CEu

Where Hard Meets SOFT Human Factors Role in System Safety EngineeringInstructors Fred W Brisbois CHCM Safety Sikorsky Aircraft International Helicopter Safety Team Guilford CT USAThe gap that allows accidents to happen is sometimes where System Safety Engineering and Human Factors donrsquot overlap System Safety Engineering processes defined in MIL-STD-882 and ARP 4761 provide a structured approach of applying engineering practices to ensure safety is designed into products These practices coupled with robust product safety surveillance and management during the aircraftrsquos service life offer opportunities to continuously raise the standards for future designs However to maximize the benefits of safety engineering it is important to master the lsquoartrsquo of how and when to integrate human factor interventions into the system design This session will cover a generic overview of system safety engineering aircraft fleet safety management and lessons learned from lsquohumanrsquo malfunctions that led to aircraft system design changes

WEdnEsday 08middot14middot13 130-500 WEllEslEy tutorial 03 CEu

Using Risk Profiles for Safety Management of Large Scale OperationsInstructors Ronald E Fitzgerald DPA PE CSP Safety Department URS -- Umatilla Chemical Agent Disposal Facility Hermiston OR USAThis tutorial provides safety and health professionals who work with large scale or multiple operations with a methodology to evaluate and compare these operations The tutorial begins with a review of four types of risk which need to be assessed (People Product Production and Planet) This is followed by a brief discussion of normalizing the risk components of severity and probability The heart of the tutorial is the description of how to measure the total risk of various operations processes and facilities and present the resulting risk profiles to management The tutorial will conclude with a brief discussion on the validity of the methodology used Note This is not a discussion on how to determine true total risk but a simplified method using a minimum of math Tutorial is designed for safety and health professionals working within a company that has multiple processes or facilities that compete for funding to ameliorate hazards

thursday 08middot15middot13 800-500 ExEtEr tutorial 06 CEu

Conceive of Modeling On Operation Mechanism of Public Safety StandardizationInstructors Yun Luo and Yuecheng Huang ME School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaOn the base of theories and methods of system science and strategy-system this paper revealed the operation law of standardization of safety production and the relations between all the elements combined with the background and current situation of public safety standardization in China It also built the frame of macroscopic operating mechanism and the ldquo456rdquo model of work safety standardization system operation mechanism which borrowed the idea from execution and achievement of work safety standardization in our country Besides it also designed other six mechanism models in order to do systematically analysis and present optimized countermeasure such as comprehensive management by government categorized supervision by department implementing responsibility by organization technological service by agency wide participation by society self-disciplined prodding by entire personnel and so on The research provided some theoretical directions as well as approaches for the construction and improving the operation quality of public safety standardization

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

26

Panel DisCUssiOnsfOrUmstuEsday 08middot13middot13 800-1130 dartMouth opEn ForuM

Developing Global System Safety PerspectivesModerator Robert Ward Fletcher PEng MSc PMP PCIP Consultant President Robert Fletcher System Safety Inc Ottawa Ontario CanadaThis will be a free form discussion moderated by Bob Fletcher SSS Director of International Development It is a continuation of the discussion started during the 30th ISSC

Robert is a system safety engineer with many years of experience He has performed system safety consultancy services work for several clients around the world He performed system safety engineering and safety management systems training auditing and analysis for air traffic control and flight service system applications Robert has received a MSc from the United States Navy Post Graduate School a diploma from the Aerospace Systems School Winnipeg Manitoba and a Bachelor of Science degree from the Royal Military College He is a registered professional engineer a member of the Project Management Institute and the Critical Infrastructure Institute

thursday 08middot15middot13 800-1130 suFFolk panEl

G-48 Workshop - Pressing Issues Facing System SafetyModerator David B West CSP PE CHMM Systems Software and Solutions Operation Science Applications International Corporation (SAIC) Huntsville AL USAA panel of speakers (TBD) will give a series of presentations on the most pressing issues facing the System Safety community today

WOrkshOPstuEsday 08middot13middot13 800-1130 ExEtEr Workshop

ISO 26262-Style Risk AssessmentPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC CanadaISO 26262 is a functional safety standard for electronic control systems in road vehicles which includes a novel approach to risk assessment that overcomes the widely recognized difficulty of evaluating the likelihood of failure in the case of software-intensive systems Although it was devised for use in the automotive domain this approach to risk assessment has been used successfully in other technical domains that also rely on safety-critical software Following a brief introduction to ISO 26262 participants will engage in a series of problem-solving small-group exercises based on examples taken from a variety of technical domains including automotive medical devices energy and defense The workshop will include opportunities for discussion and comparison of sample solutions The workshop will also include a brief comparison of the ISO 26262 approach to risk assessment with the notion of software criticality in MIL STD 882E While this workshop will be of particular interest to system safety engineers in the automotive industry it is intended to be relevant to system safety engineers across all technical domains with an interest in the assessment of safety risk associated with complex software-intensive systems

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

27

tuEsday 08middot13middot13 130-500 ExEtEr Workshop

Application of System Safety Methods to Systems of SystemsPresenter Jeff J Joyce PhD Critical Systems Labs Inc Vancouver BC Canada Rami Debouk Electrical and Controls Integration Lab General Motors Warren MI USA Antonio Vergara ITER Organization St Paul-lez-Durance FranceThis workshop will facilitate an exchange of knowledge among participants about the application of system safety methods to Systems of Systems (SoS) ndash that is systems whose components are themselves complex systems such that the combined behavior of these components cannot be easily understood or explained in terms of the behaviors of the individual components Examples of such systems are increasingly common across a variety of technological domains including aerospace defense automotive and energy generationdistribution Traditional methods of system safety focused on component failure as a source of safety risk have limited value in understanding and managing the safety risks associated with a SoS For example an unforeseen interaction between two ldquocorrectrdquo behaviors implemented by different components of a SoS may result in an unsafe behavior even in the absence of a component failure The first part of the workshop will be a series of short presentations on SoS examples from a diverse variety of technical domains - namely advanced road vehicles high energy physics and aerospacedefense The second part of the workshop will be an opportunity for all participants to address specific questions about the application of system safety methods to SoS through dialogue and impromptu mini-presentations

tuEsday 08middot13middot13 130-500 FairFiEld Workshop

Advancing Safety By Reducing Errors A Fresh ApproachPresenter Tim Autrey BSc Error Reduction and Human Performance Enhancement Practicing Perfection Institute Inc Swanzey NH USAPotential hazards workers face while working in refining and petrochemical industry can vary from minor leakage to major blasts release of chemical vapors spills leading to exposure to harmful gaseous chemicals fires and explosions and smoke build up causing shelter-in-place impacting the local community personal injuries fatalities and plant damage resulting into shut downs Considering time pressures dangerous nature of job weather conditions lack of communication poorinadequate documentation and remote working locations planners locators and refiners often face combined challenges that generate very error-likely conditions

While unexpected releases of toxic substances do occur the industry is subject to vulnerabilities caused by others (such as processes involving highly hazardous chemicals leading to the release of flammable liquids and gases and worker stress and fatigue) and investigations reveal that many of the major accidents that do occur could have been prevented through greater diligence on behalf of the respective personnel involved

This workshop is designed to provide the participants the awareness that as humans we are fallible (even the best people make mistakes) However this being said as humans we also possess the incredible power of choice What we must do is choose to learn from our mistakes and take actions to prevent their recurrence

Bird and Germain 1996 rightly said ldquoWhat is the sense of measuring if the loss must occur before you can act That is reaction not controlrdquo What we need is a fresh approach to enhance safe work practices This session will instill a strong understanding of ldquoThe Gaprdquo in processing information and how to RESPOND rather than REACT when posed with a stressful or threatening situation The participants will come to recognize the value inherent in worker contribution to solving problems and improving safety and efficiency

Practicing Perfectionreg approach has taken the best-of-the-best tactics and tools from the US commercial nuclear power and airline industries simplified them and combined them with underlying triggers and influencers of behavioral psychology to transform worker behaviors pertaining to personal and process safety in different sectors

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

28

Using this innovative approach of Practicing Perfectionreg safe work practices will be discussed in-depth using the four human error barrierdefense categories and how these work together to preventallow an event to occur The participants will be introduced to the Error Elimination Tools trade handbook which offer simple tools for minimizing the potential for error at points of team interaction and individual execution

WEdnEsday 08middot14middot13 130-330 arlington Workshop

The Evolution of the UK Defence Safety StandardsJohn McDermid Professor of Software Engineering at the University of York UKIssue 5 of DS 00-56 is being developed and is likely to be in force before the end of the year The UKrsquos primary defence safety standard DS 00-56 has been in existence since mid-1990 and has undergone a number of changes becoming more goal oriented at issue 4 (the current standard) When issue 4 was produced DS 00-55 the MoD software safety standard was discontinued Since the publication of DS 00-56 Issue 4 in 2007 there has been feedback on some of the requirements including the challenges of applying the ALARP principle defence contracting has changed with a move towards the greater procurement of services andor outsourcing management of facilities and increasing use of Systems of Systems (SoS) Issue 5 of DS 00-56 is being developed to address these issues At the same time there have been increasing concerns regarding software safety and it has been decided to re-introduce DS 00-55 at the same time albeit in a goal-based style consistent with DS 00-56 and also covering complex electronics The tutorial will present an explanation of the motivation for the changes to the standards the significant conceptual changes and outline the rest of the development process Time will be allowed for discussion eg the relationship between DS 00-56 and other standards both civil and military

WEdnEsday 08middot14middot13 130-330 FairFiEld Workshop

Aircraft Fire amp Explosion ndash How Safe Are the Friendly SkiesAlbert Moussa PhD PEWhile commercial air travel is an extremely safe mode of transportation aircraft fires and explosions can occasionally occur with catastrophic consequences Using examples of recent accidents and full-scale testing Dr Albert Moussa will provide an overview of the main types of fires such as those involving aircraft engine fuel tank cabin and cargo areas He will show how major accidents lead to safety recommendations by the NTSB stricter requirements by the FAA and improved practices by the industry This process takes many years leading eventually to safer skies Examples of safety improvements include the use of a fire blocking layer in seats improved acoustic insulation fire detection and suppression systems in cargo bays and fuel tank inerting The implications of replacing Aluminum with composite materials will also be discussed The talk is an overview of a unique professional course that he teaches annually on the design of aircraft systems for protection against fire and explosion The talk is a multi-media presentation illustrated with colorful slides and short video clips of real accidents and computer model outputs

Dr Albert Moussa has spent over forty years developing a fundamental understanding of fire and explosion particularly for the aerospacedefense industry His work has led to the development of a number of practical solutions and quantitative models and to the investigation of several major national and international aircraft fire accidents His forewarning about the vulnerability of aircraft fuel systems before the occurrence of the TWA800 and Concorde disasters has gained him prominence in the general media in both the US and Europe He has consulted for the Air Force Navy and major firms such as Boeing GE Northrop Grumman and Parker Hannifin and has served on national advisory committees and on the Editorial Board of an ASME Journal He teaches a unique professional design course on how to protect aircraft systems against fire and explosion He received his BS from Stanford University and his MS and ScD from MIT He has published widely including one book He has received several honors including the William Littlewood Memorial Lecture Award by SAEAIAA Engineer of the Year by AIAA NE Section best papers by SAE and ASEI AIAA Distinguished Lecturer and several ASME citations He is

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

29

the Founder and Technical Director of BlazeTech Corp an engineering firm that specializes in technology and software development in the area of energy environment and safety

Friday 08middot16middot13 800-1000 ClarEndon Workshop

Process Safety Culture Best PracticesPresenter Laurence Pearlman MA Corven Inc and University of Illinois at Urbana Champaign Naperville IL USAThe workshop explores how process safety is more than a technical solution and involves cultural change To make a successful and sustainable culture change multiple elements need to be combined that address people rewards learning and leadership This workshop will explore best practices and give practical advice on how to build a process safety culture The workshop is aimed at Oil Chemical and other process related work

Introduction bull Change as a Journey Overview of Change Management bull Building a Business Case Defining a Burning Platform bull Speaking of Process Safety Creating a Common Language for Process Safety bull Leadership Matters Defining the Role of Your Leadership Teams bull Effective Learning Segmenting Your Audiences and Delivering Relevant Learning Activities bull Looking at Behaviors and Desired Outcomes How To Define amp Drive Behaviors bull The Employee Lens Know My Barriers amp Know My Role in Keeping Them Healthy bull Measurement of Culture What Works and What Doesnrsquot bull Wrapping it Up Change as a Systembull

You have a lot on the lineOur adaptive Safety Management and FAA Compliance solutions wonrsquot let you down Adaptive SMS mdash The comprehensive solution for the most

efficient implementation

Extends a culture of safety beyond safety teams

Easily guides users to confidentially report useful safety events

Responsiveness shows users they made a difference

Adaptive Systems Safety Analysis mdash Safety oriented system

design analysis

Donrsquot miss the Sikorsky Aircraft and AST Aerospace presentation

ldquoLinear Integrated Safety Analysis (LISA)rdquo

A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES

1-732-230-2590

salesastaerospacecom

wwwastaerospacecom

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

30

PaPer PresentatiOnsMonday 08middot12middot13 aM BErklEy hazard analysis Chair BarondEs

Quantitative Aspects of Common Cause Failures and Review of Commonly Applied Models Lucas Wind Dr Gabriele Schedl Juergen Floetzer Safety Management Department Frequentis AG 1100 Vienna AustriaMultiple failures of components due to shared causes also known as Common Cause Failures (CCF) comprise an important class of failure types These have to be taken into account in any serious assessment of safety critical systems deploying any redundancy concept Whereas a qualitative assessment of CCF can be regarded as common practice the exact numerical impact of CCF is usually less widely understood Explicit representation of CCF is quite cumbersome and usually involves complex graphical representations within Fault Trees and RBDs Focusing on a correct derivation of RAM-data rather than on a comprehensive common cause analysis an implicit representation of CCF therefore is often preferred but involves in-deep knowledge of underlying mathematical models This paper aims to enable safety experts to make a fast simple but effective RAM-analysis including CCF Popular CCF-models are reviewed together with their advantages and disadvantages based on the long-term experience of a supplier in the context of a large European ATM-project The single parameter beta-factor model is explained in detail and demonstrated to be most effective for typical ATM-applications Based on this model results are given in terms of representative figures depicting the influence of CCF on various typical real world availability requirements

Identification of Safety Critical System Hardware and Software Requirements Using Fault TreesWes Rainey MSEE Life Cycle Engineering General Dynamics Electric Boat Groton CT USAFault Trees prove to be an effective tool for identifying safety critical system hardware and software requirements during the Safety Requirements Hazard Analysis (SRHA) process This safety analysis methodology offers significant benefits when performing the SRHA Fault Trees effectively communicate the safety assessment of a safety hazard to other safety engineers systems engineers the customer and other impacted engineering disciplines in a manner that each discipline can readily understand and evaluate for completeness and correctness Fault Trees also enhance the safety engineerrsquos ability to assess the implications of safety mishaps and events on safety hazards improving visibility into the relationship between related mishaps and events and allowing for common events to be identified and shared between hazards Fault Trees can then be structured to correspond to the system hardware and software requirements analysis thus providing the ability to identify hazard mitigating safety critical requirements design features and procedures early in the development process for continued tracking and management This paper describes significant benefits of Fault Tree analysis when applied to an SRHA with an example based upon a hazard caused by significant equipment damage to a pump

The Role of Architectural Model Checking in Conducting Preliminary Safety AssessmentOmar T Jaradat PhD Student1 Patrick J Graydon Postdoctoral Research Fellow1 Iain Bate2 (1) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings Sweden (2) Department of Computer Science University of York York United KingdomTypical safety standards require software engineers to show that a plan of safety activitiesmdashchosen from recommended options or alternativesmdashmeets a set of objectives For example the automotive safety standard ISO 26262 recommends formally verifying software architectures to show that they comply with safety requirements In this paper we show how an existing approach to architectural model checking could be used to conform to ISO 26262

The Architecture-Based Verification Technique for AADL Specifications verifies some completeness and consistency properties of Architectural Analysis and Design Language (AADL) models An engineer transforms the AADL architecture into an UPPAAL model generates a set of UPPAAL queries and uses UPPAAL to check the queries Using the resulting evidence we have created a partial ISO 26262 safety

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

31

case for an existing system that warns drivers of heavy vehicles before low fuel causes loss of power and vehicle control

In this paper we demonstrate how this model-checking evidence contributes to an ISO 26262 safety case We then critically analyze the resulting argument recommend means of achieving complete coverage of ISO 26262 objectives and discuss the costs and benefits of architectural model checking in comparison to those of the other techniques recommended by ISO 26262

Monday 08middot12middot13 aM ClarEndon ground transportation Chair Millin

Achieving Confidence of a Safety Critical System Product and Its ApplicationsFenggang Shi PhD RAMS Department Thales Canada Transportation Solutions Toronto ON CanadaA safety critical system product can be developed for multiple project applications such as a Communication Based Train Control (CBTC) product for modern railway signaling systems It is natural that different safety critical systems in the same domain can have different characteristics due to variances of devices and operation environment Such a product must be developed based on the generic attributes of systems in the domain and can be parameterized and tailored to a specific system with the characteristics expected by the customer The key issues in development of such a product are defining common functions in the application domain categorizing and generalizing devices and designing configurable system architecture Thus devices and functions can be parameterized and tailored for a specific system of a project Safety engineering for such a safety critical system product and its applications faces complexity in safety case development for demonstrating systematic hazard analyses and management This paper discusses Thales experience and practice of resolving the key issues in designs and managing complexity of safety engineering on its CBTC product and applications Safety confidence of CBTC systems is achieved through four layers of safety engineering vital computer controller platform generic application and specific application

Failure Logic Automata for Future Oriented Safety Assessment of Train Control SystemGuo Zhou PhD Student Huibing Zhao Professor School of Electronic and Information Engineering Beijing Jiaotong University Beijing ChinaIn the development progress of train control system safety analysis possibly deviates from system design System engineers and safety engineers always carry out their ideas in entire different ways so that when system engineers assert their designs are completed and feasible the safety engineers may disappointedly declare that the safety requirements are not met On contrary when safety engineers expose their manual analysis reports FTA and FMECA etc system engineers may pop up and point out the inconsistency Intuitively there seems like a ldquogaprdquo between system engineering and safety engineering In this paper some comparisons amongst classic safety assessment methods are performed first Then a future oriented safety assessment method is introduced to safety engineering to automatically realize safety requirements verification with the soaring complexity of system design The hierarchical and modularized methodology of failure logic modeling is illustrated for minimal cut sets synthesis and dangerous failure rate calculation which can be referred to prompt the safety The mathematic model is constructed to manifest the correctness of the method An instance analysis of on-board train protection system is performed also

Are We Ready for Driverless CarsDavid B West CSP PE CHMM AMCOMAMRDEC Operation Science Applications International Corporation (SAIC) Huntsville AL USAFor decades technological advancements have continually improved the automobile making it easier to drive As we integrate features like adaptive cruise control GPS navigation lane keeping and so on and make them interoperable we move ever closer to having cars that will drive themselves to the destinations we enter into their programs Some experts have even predicted that in less than a generation it will be illegal to steer our cars ourselves Though it may seem that serious safety challenges constrain our movement down this path it may actually be the safety benefits offered by driverless cars that propel us in this direction Several high-profile competitions have fostered the

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

32

development of driverless car technology Some jurisdictions are already passing legislation to pave the way for driverless cars on public roads With driverless cars will come major changes in legal processes involving accidents In many ways the development of driverless cars that will operate on public roadways parallels the development of unpiloted aircraft that will fly in the national airspace Design standards for hardware and software in civil aircraft (eg RTCA DO-254DO-178) may serve as models for similar qualification of driverless car hardware and software

tuEsday 081313 aM BErklEy hazardrisk ManagEMEnt Chair parizo

Safety is not an OptionClifford A Parizo BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Stratford CT USA R Brandon Daugherty BS MS Aviation amp Product Safety Sikorsky Aircraft Corporation Huntsville AL USAThis paper presents a method for evaluating and classifying rotorcraft safety enhancing equipment in terms of impact on safety and various equipment implementation factors Guidance from certifying agency policy and system safety standard practice were considered resulting in a classification tool that can be used to determine if equipment should be marketed and sold as either mandatory or optional The methodology developed may have applications for other products and industries

National Aerospace Standard 411 UpdateTimothy Sheehan CIH CSP PE Raytheon Global Substances Program Raytheon Portsmouth RI USAThis paper describes the effort to review and update National Aerospace Standard 411 (ldquoNAS 411rdquo) commonly used within defense as a framework to conduct Hazardous Material Management Programs (HMMP) intended to reduce hazardous material risks in the government procurement of military systems The scope of the effort includes both a review of the standard and the introduction of several key changes including the expansion of the scope to non-military procurements and service contracts Included in the effort is the task of developing a standardized military Hazardous Materials Target List (HMTL) that can be used as a starting point for military HMMP hazardous material (HAZMAT) target lists The development of the common HMTL addresses the need to increase standardization of HMMP lists across defense programs that use NAS 411 and or MIL-STD 882E Task 108 to conduct their HMMPs There is no current standard approach now for developing these lists as a result there are numerous different materials identified for restrictions and reporting requirements The current situation often does not support (or reflect) the hazmat risk management goals of the DoD the military services or the contractors

Linear Integrated Safety Analyses (LISA)Michael T Grant Aviation amp Product Safety Sikorsky Aircraft Corp Stratford CT USA Samad Muhammad Atlantic Software Technologies Inc New York NY USAThis paper describes the Linear Integrated Safety Analyses (LISA) process developed by the Sikorsky Aircraft Corporation (Sikorsky) The LISA architecture is designed to encompass all aspects of safety risk management for aircraft development programs It is linear in that each assessment is repeated at the aircraft system and subsystem levels in sequence and it is integrated such that all analyses are connected and fully traceable to requirements Sikorsky has partnered with Atlantic Software Technologies (AST) to develop a web-based LISA application The end product will be a fully integrated system safety process that is comprehensive repeatable and traceable

tuEsday 081313 aM ClarEndon WorkspaCE saFEty Chair kondrECk

Thermal Protection and Thermal Comfort An Evaluation of the Fabrics Used in Chef rsquos Uniforms Against Thermal Hazards in the KitchenHan Zhang MSc Candidate Rachel McQueen MS PhD Jane Batcheller PhD Human Ecology University of Alberta Edmonton Alberta CanadaBurn injuries in kitchens are prevalent as well chefs are exposed to high heat and humidity Limited

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

33

research has been performed on safety issues related to chef rsquos uniforms regarding thermal protective performance towards common kitchen thermal hazards (ie flames hot liquids steam and hot surfaces) and the thermal comfort within commercial kitchens The purpose of this research was to characterize the thermal protective performance properties of textiles used in chef rsquos uniforms in order to understand how protective they are against all these thermal hazards in such environment Selected thermal performance tests (ie flammability and ease of ignition hot water and oil splash and steam testing under low pressure and hot surface contact tests) were applied to predict the time to second-degree burn Different fabric layers combinations (eg impermeablesemipermeable apron and two or more layers of cotton fabrics) were applied to determine the most effective way to wear chef rsquos uniforms In addition thermal and water vapour resistance were compared among different fabric systems in term of thermal comfort Based on the obtained data from bench scale tests recommendations were made to improve the thermal protection and thermal comfort of fabrics used in chef rsquos uniforms and the safety within commercial kitchens

A Roadmap for Future Noise Control in Acquisition Acoustical Engineering Controls and Estimated Return on Investment for DOD Selected High Noise SourcesRay Fischer1 Kurt Yankaskas BS2 Chris Page1 (1) Noise Control Engineering Inc Billerica MA USA (2) Warfighter Performance Department Office of Naval Research Arlington VA USANoise remains the most prevalent occupational hazard associated with defense systems and operations critical to their sustainment Concurrently acquisition programs been inconsistent in application of control measures and many new systems are noisier than their legacy predecessors Common impediments to improved control include relative lack of emphasis on risk management of noise lack of widespread technical knowledge regarding the feasibility of noise control and misunderstanding of potential return on investment from noise controls The Defense Safety Oversight Councilrsquos Acquisition and Technology Task Force sponsored a project to identify common noise sources affecting multiple defense systems that were amendable to control measures that could be implemented using existing

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

34

technologies at an affordable cost A system engineering risk management process was applied to review key noise sources in DOD identify nine of the more common sources amendable to control technologies and describe common control measures for these processes An affordable containment (acoustic enclosure) technology was also evaluated and described Estimates were made of exposed populations the range of their occupational exposures and potential risk and fiscal cost of hearing loss Cost-benefit analyses were applied to evaluate the return on investment from available control measures

System Safety Design for Safe Operation of RadarsRonald J Bartos PE CSP Whole Life Engineering Raytheon Sudbury MA USASafe operation and maintenance of radars depends upon effective system safety and software safety analyses of radar designs These analyses include identification of the hazards involved in operating and maintaining radars and the safety requirements that are necessary to mitigate these hazards This paper familiarizes the reader with the system safety design requirements that are implemented in the controls of these systems in order to manage the potential safety risks inherent in radars The safety features are contrasted among different types of radars The differences in the types of safety features among these systems are highlighted and factors for these differences are presented The radarrsquos mission location system architecture conceptual design and requirements allocation between hardware and software need to be understood in order to implement an effective safety program

tuEsday 081313 pM BErklEy soFtWarE EnginEEring Chair Mikula

Dependability Techniques Applied to Space Software - A Research Project ReportCarlos Henrique Netto Lahoz Dr Eng Electronic Division Institute of Aeronautics and Space (IAE) Satildeo Joseacute dos Campos (SP) Brazil Martha Adriana Dias Abdala M S Electronic Division Institute of Aeronautics and Space IAE Sao Jose Campos BrazilThis work reports some results of a research project performed at Institute of Aeronautics and Space IAEBrazil using dependability techniques applied to space computer system Hazard analysis techniques such as Software FTA and Software FMECA were used in an integrated manner and more recently the System-Theoretic Process Analysis-STPA has been studied This research is part of the Verification and Validation (VampV) efforts to increase software dependability capability in software projects at IAE

The feasibility of such approach was conducted on system software specification and applied to a case study based on the Brazilian Launcher (VLS) The main goal is to identify possible failure causes and obtain compensating provisions that lead to inclusion of new functional and non-functional system software

The techniques are adjusted and used in combination to identify common causes of software failures its criticality performance problems temporal misleading and hazards arising mainly from dysfunctional interactions between components The SFTA analysis produced 82 basic events and the SFMECA 34 analyses from sequence of flight and control events The STPA is being applied to one of the case study scenarios in order to evaluate possible additional information about how the behavioural safety constraints can be violated

The Principles of Software Safety AssuranceRichard Hawkins PhD Ibrahim Habli PhD Tim Kelly PhD Department of Computer Science University of York York United KingdomWe present common principles of software safety assurance that can be observed from software safety standards and best practice These principles are constant across domains and across projects and can be regarded as the immutable core of any software safety justification The principles also help maintain understanding of the lsquobig picturersquo of software safety issues whilst examining and negotiating the detail of individual standards and provide a reference model for cross-sector certification

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

35

Formal Modelling in the Development of Dependable SystemsElena Troubitsyna PhD It Abo Akademi University Turku FinlandNowadays we tend to place increasing reliance on computer-based systems and software which they are running The degree of reliance that we can justifiably place on a system is expressed by the notion of dependability However the analysis of recent software-caused accidents has shown that the current development process is inadequate for achieving high degree of dependability While a number of existing methods and tools address certain aspects of dependable systems development there is still a lack of powerful dependability-explicit techniques for developing software for complex systems

It is widely recognized that complexity poses a major threat to dependability Complexity makes testing of software to the required degree of dependability infeasible and hence the emphasis should be put on the development process which is aimed at producing fault free software Moreover the system environment has a direct impact on its dependability and hence systems approach should be applied

In the paper we discuss advances in creating a formal dependability-explicit development process demonstrate an approach to integrating formal development with safety analysis and discuss the role of formal models in building safety cases

tuEsday 081313 pM ClarEndon aErospaCE saFEty Chair kraEMEr

Systems-Based Approach to Flight Safety Management in AirlinesHong Chi PhD Baoguang Xu PhD Mingliang Qi PhD Xueyan Shao PhD Institute of Policy and Management Chinese Academy of Sciences Beijing ChinaSafety risk management is one key component of ICAOrsquos safety management system (SMS) The Eleventh Five-Year Plan of China Civil Aviation also requires the establishment of SMS From 2006 we work with one of Chinarsquos 3 big airlines taking part in its construction of SMS We find that safety risks have their own features in different airlinersquos departments and divide safety risks into two categories one is caused by factors such as quality of pilots reliability of airplanes and the other is caused by misprocessing through operational processes for example a misprocessing in data entry during dispatching may lead to insufficient fuel and then serious outcomes A reasonable risk assessment can be obtained only by systematic mechanism analysis and other analytical approaches need to be studied besides risk matrix Based on this effective risk mitigation can be implemented in airlines We develop a closed loop to support airlinersquos flight safety management named ldquoDescribing-Assessing-Diagnosing -Improving-Trackingrdquo Specific details will be discussed in this paper

Use of Master Minimum Equipment List (MMEL) to Ensure Safe DispatchBurak Durmaz MSc Eng Product Assurance Department Space Systems Group Turkish Aerospace Industries Inc (TAI) Ankara TurkeyEven if the new generation aircrafts have rugged designs which are maximizing reliability exposure to failures during operation is still indispensable With a pure safety approach one can lead to the classical result ldquothe safest aircraft is the one in hangarrdquo Vice versa allowing dispatch without ensuring certain level of safety can lead to catastrophic results and is totally not acceptable MMEL has been answering this dilemma for many years Each MMEL item is analyzed taken into account the effects of item inoperability on safe flight and landing crew workload functional capabilities of the systems design margins and the impacts due to next critical failure MMEL is proposing dispatch criteria for any inoperative MMEL item by taking credit from redundant unit which is capable to accomplish the same function the backup data provided by alternative sources or equipmentrsquos dictating acceptable limitations andor requiring operational or maintenance procedures

This study is aiming to answer questions such as why MMEL is required and how and MMEL is developed Also brief information about the MMEL regulations the importance of MMEL to ensure safe dispatch with inoperative item(s) and some simple examples regarding MMEL applications are going to be provided

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

36

Safety Culture An Examination of the Relationship Between a Safety Management System and Pilot Judgment Using Simulation in AeronauticsStuart Campbell Sr MAS CFII ATP Aeronautical Science Embry Riddle Aeronautical University Daytona Beach FL USAThe need to reduce aircraft accidents and incidents is paramount in general aviation specifically those attributed to aeronautical decision-making and poor judgment Accident statistics confirms aeronautical decision-making and poor judgment as a significant contributor to general aviation accidents and incidents (Aircraft Owners and Pilot Association 2010) The absence of a positive safety culture in general aviation to include training organizations affects pilot judgment and decision making The learning process and education through actual and simulated flight training and the relationship of a positive safety culture during the learning process and training is of importance and currently under study using the Frasca Mentor Advance Aviation Training Device

tuEsday 081313 pM dartMouth soFtWarE saFEty Chair sChMEdakE

Safety andvs Security Towards a System Engineering Approach for TrustErwin Schoitsch Dipl-Ing Safety amp Security Department AIT Austrian Institute of Technology Vienna AustriaSafety has a long tradition in many engineering disciplines evolving long before computers arrived on the scene Security in engineering disciplines has a shorter history becoming increasingly important with the rising complexity of networked systems In complex cyber-physical ndash systems and systems-of-systems both worlds having ignored each other for a long time (independent communities different targets standards techniques and measures) have now to share their concerns to achieve the real goal of users and stakeholders trustworthy systems

The paper will compare the different approaches of the major safety and security standards particularly with respect to setting goals considering techniques and measures and qualificationcertification Holistic system aspects as covered by the notion of Dependability and Resilience as umbrella terms and system engineering aspects taking into account dichotomic properties of complex embedded systems (commonalities and trade-offs) are looked at to try to propose a unified approach (life-cycle process) for trustworthy systems composed of trustworthy components of different criticality from concept phase hazard and risk analysis to decommissioning The paper refers to work in the European ARTEMIS (Advanced research and Technology for Embedded Intelligence and Systems) research project SafeCer the EC-FP7 Integrated Project OpenCoss in IECISO standardization groups and other work

Anatomy of a Safety Critical Software FunctionRichard Church Raytheon Company Tewksbury Massachusetts USAThis paper expounds upon the basic definition of a Safety Critical Function as defined in MIL-STD-882E and provides clear and concise determination of how a safety critical function may be defined at the system level to include hardware software human interactions and the operating environment working in concert to comprise a System Level Safety Critical Function (SLSCF) Furthermore this paper explains

how to decompose SLSCF computing level functions and detail what constitutes a Safety Critical Computing Software Function (SCCSF) and how to identify those behavioral attributes that designate that function as safety critical This paper provides a methodology to identify decompose and categorize application and operating environment SCCSFs For the purpose of this paper SCCSFs are categorized into two distinct categories 1) Safety Critical Application Functions (SCAF) and 2) Safety Critical

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

37

Infrastructure Functions (SCIF) Once the basic concepts of this paper are understood the reader will possess the ability to decompose and categorize safety critical software functions that control and monitor safety critical operations and mitigate recognized hazards Furthermore the reader will gain an understanding of safety architectures common design patterns for software safety functions defensive coding strategies and fail-safe designs found in successful high consequence safety critical systems

Software Risk The Third Rail of Safety AnalysisHolly S Hildreth PhD Consultant Charles Greg Elcock USN-R Aviator Consultant San Diego CA USAldquoProbabilityrdquo is a word that cannot be spoken out loud in software safety circles even the weaker word ldquolikelihoodrdquo can bring down the wrath of fellow analysts Due to our inability to assess probability of failure for software there is a perceived inability to assess software risk in any fashion similar to that used for hardware Thatrsquos called ldquothrowing the baby out with the bath waterrdquo Meanwhile the recent industry trend to assess software risk based solely on implementation of a best-practice software development process is discouraging if not frightening The authors discuss shortcomings of this trend and describe alternative techniques that have not been openly documented but that have been used ldquounder the radarrdquo by software safety professionals for many years

WEdnEsday 081413 aM BErklEy huMan FaCtors Chair roBins

ASL ndash Affective Safety LeadershipUlrik Ramsing Strategic Initiatives CfL - Danish Centre for Leadership Aarhus DenmarkYears of internal post-fatality reviews and regional research have led DONG Energy Exploration amp Production DONG EampP one of the leading energy groups in Northern Europe to a new set of updated Ground Rules for the essential role of the Offshore Company Representative (CoRep)

The resulting focus in the increasingly complex drilling business must be ldquowhat not howrdquo demanding the CoRep to engage with all parties in a safe professional and meaningful way This requires more than being right it requires the greater level of interpersonal attention only found in ASL Affective Safety Leadership

Having updated the Ground Rules DONG EampP engaged with CfL Centre for Leadership to design and develop a new way to implement and strengthen the corresponding behaviors The result is the multifaceted and comprehensive DONG CoRep Program of which the satisfactory completion is now a requirement for employment in DONG EampP Offshore Operation as Company Representative

The CoRep Program satisfies its objectives through cased based training and a unique set of mutually supportive technologies from playing cards to iPads on-site simulations with business actors and ILO-driven offshore coaching

Exxon Valdez Human Error Plain and SimpleArthur D Barondes BS (Mil Engr) MS (Aero) MBA PhD (ABD) (Business) Analytics International Corporation (AIC) Alexandria VA USAMuch has been made of the Exxon Valdez going aground on Bligh Reef in Prince William Sound in 1989mdashand rightfully so The effects of the disaster continue to this day The reasons why the Exxon Valdez went aground are very straightforward although not widely well understood As can be expected various interests seized upon the catastrophe to support their causes or improve their lots Whereas it is now clear that the ship went aground purely as a consequence of human errorsmdashthere were no mechanical or electrical failures that fateful nightmdashthe event has been used to justify changes that while desirable would not have prevented the Exxon Valdez from going aground or the subsequent oil spill Those changes include inter alia a variety of improved navigational aids expanded Coast Guard monitoring capabilities increased requirements for harbor pilots and required crew rest In looking back one might be led to believe that the ship went aground in a sea of red herrings This paper reviews what really happened on that night and presents incontrovertible evidence that supports human errorsmdashonboard the Exxon Valdez and thousands of miles away at the Exxon Shipping Companymdashas solely responsible for the disaster

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

38

Analysis of Potential Driver Startle in the Safety Assessment of Advanced Propulsion SystemsMark A Vernacchia MS PE Vehicle Electrification GM Hybrid amp Electric Vehicle Propulsion Systems Milford MI USA Charles A Green PhD Active Safety Systems General Motors Warren MI USA Robert E Llaneras PhD Human Factors Virginia Tech Transportation Institute Blacksburg VA USATodayrsquos electric propulsion system designs (eg Hybrid Electric and Battery Electric systems) have faster output torque response times and different failure modes than internal combustion engines (ICEs) As a result some failure modes may result in the failure effect on output torque being realized significantly faster than traditional ICE failure modes These may present differences in how output torque responses impact potential ldquoDriver Startlerdquo events

This paper compares electric propulsion systemsrsquo fault response characteristics and subsequent detection and mitigation capabilities to those of ICE systems The effect of the electric propulsion system output torque response characteristics are discussed as they relate to potential Driver Startle

Finally the initial results of an acceleration study which may lead to the development of vehicle level hazard metrics related to Driver Startle are presented

WEdnEsday 081413 aM ClarEndon puBliC saFEty Chair FlEtChEr

The Study on the Accident Causation Rule of Macroscopic Accidents in ChinaZhu Zeng PhD Yun Luo Shuo Tian MS School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaTo make scientific precaution and effective control of accidents is important for the national production of China The famous Heinrich Rule reveals that the statistical law of the severity and frequency of accidents is essential to control accidents but the accidental source and causation as well as the essence of systematic safety factors havenrsquot been stated deeply With the data analysis from various accident statistics over recent years in China two essential factors hidden danger and hazard are introduced into Heinrich Rule And then a proportion rule of accident pyramid is further figured out namely ldquoMajor Accident-Fatal Accidents-General Accidents-Hidden Dangers-Hazardsrdquo ( 1-52-240-4700-infin) The result accords with the traditional Heinrich Rule which provides the theoretical basis for accidents prevention and indicates the way and direction of realizing the essential safety

Technical and Economic Aspects of Industrial Safety at the Large Enterprise with Distributed Sites Located in a MegacityIlya M Zheleznov PhD VNIIA Moscow RussiaPaper presents review and results of analysis of different technical and economic aspects of industrial safety at the large enterprise with distributed sites combining RampD works with pilot and batch production of high-tech products and located in a megacity ndash Moscow

The basic documents regulating industrial safety in the Russian Federation and in Moscow are presented

Various approaches to the optimization considering minimization of transportations of dangerous substances localization of treatment facilities (waste effluents gas purification) and storehouses of a waste localization of systems of working conditions maintenance (heating air-conditioning air clearing water supply etc) possible harm to the population and a number of other factors both from technical and economic points of view are considered

The features connected with an arrangement of the enterprise in a megacity including such as limitation of the areas for treatment facilities a high saturation of the area by various communications small distances to residential buildings and objects of an infrastructure of a city transport problems high impurity of the air environment etc are allocated

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

39

Instrumentation for Detection of Hazardous Materials under the Russian National Measures to Ensure Safety of Population TransportationDr Professor GA Smirnov Dr DI Yurkov DV Syagin ТV KozhinaAll-Russia Research Institute of Automatics (VNIIA) Moscow RussiaThe paper reviews the questions related to vulnerability assessment of a transport infrastructure objects and vehicles to acts of unlawful interference including a terrorist orientation ones as well as to emergency situations of natural and anthropogenic character

Main provisions of the Russian Government approved complex program of safety of the population on transport are presented Approaches to the organization of examination of physical persons passengers vehicles cargoes luggage and personal things on objects of a transport infrastructure of undergrounds of Russia are formulated Some types of VNIIA named after NLDuhovrsquos designed and produced neutron and x-ray equipment for detection of explosives nuclear materials and drugs are presented

WEdnEsday 081413 aM dartMouth liFECyClE saFEty Chair sWalloM

Maintenance Hazard AnalysisPhil Tan Joo Heng Safety Assurance Centre ST Kinetics Singapore SingaporeSystem Safety analyses assess the systemsrsquo hazards throughout all phases of the system life cycle Quite often details of maintenance tasks on systems were not clearly thought out and assessed Hence while in the midst of carrying out system maintenance tasks hazards could arise and pose safety implication to users Improper maintenance could also result in maintained systems giving rise to hazardous events when they are put back into operation

As most components experience wear and tear after certain period of usage proper maintenance and sometimes total replacement of the components at regular intervals are required Therefore it is important to incorporate the maintenance aspect of the system in its hazard analysis Maintenance

ALD Software

3 0 Y e a r s o f S y s t e m S a f e t y L e a d e r s h i p

SAFETY SERVICEFOR MISSION amp PRODUCT ASSURANCE

SAFETY SOFTWAREFOR HIGHLY INTEGRATED SYSTEMS

SAFETY TRAININGFOR PROFESSIONALS

C o n t a c t U s To d a y f o r F r e e We b D E M O o r E v a l u a t i o n USA Office 5721 W Slauson Ave Suite 140 Culver City CA 90230 Tel 1-310-338-0990 Fax 1-310-338-0999

ing | AIRBUS | ALSTOM | BAE | CATERPILLAR | DEUTSHCE BAHN | EADS | FAA | FINMECCANICA | IAI | SELEX Galileo | Bo

LOCKHEED MARTIN | NASA | NORTHROP GRUMMAN | SCAC | SAAB | THALES ALENIA SPACE | VIBRO-METER | US NAVY | THA

RAM CommanderUltimate Tool for Safety Assessment

FavoWebWorld Standard in FRACAS

D-LCC Dynamic Cost Control

w w w a l d s e r v i c e c o m

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

40

personnelrsquos awareness of safety critical or safety related parts are also crucial in ensuring that the systems remain safe for operation after conducting maintenance

This paper attempts to classify the different types of maintenance and the focuses on their respective hazard analysis in order to better address their potential hazards Generally there are three types of maintenance hazard analysis Preventive Maintenance Corrective Maintenance and Reliability-Centered Maintenance The authors will discuss with examples on the hazard analysis for each of these types of maintenance

Development of a System Safety Case for Automotive ElectricElectronic SystemsPadma Sundaram David Hartfelder Electronic Controls and Software General Motors Company Milford MI USASystem safety engineering is the application of special technical methods and managerial processes in a systematic manner to identify evaluate and control potential hazards throughout the system life cycle of a product System safety engineering is concerned about eliminating or minimizing the impact of system hazard(s) to an acceptable level The goal of system safety is to address both random and systematic issues that can potentially lead to safety concerns System safety engineering process should be integrated with the development process of the system Within such a process several complementing critical safety analyses tests and assessment activities are iteratively conducted throughout the development of the system beginning at the concept phase through the deployment of the product The system safety case is progressively developed and independently assessed throughout the system development process The timing of the safety assessments in the system development process is such that it is able to influence the design of the system This paper will define a system safety case and provide an overview of its development within the GM system safety engineering process as they apply to automotive embedded motion control systems

Utilizing Error Prevention Event Collection Documents to Augment Error Prevention ProcessesShawn Laabs Mission Integration amp Error Prevention United Launch Alliance Centennial CO USA James E Allison System Safety United Launch Alliance Centennial CO USA Joseph Russell Launch Vehicle amp Error Prevention United Launch Alliance Centennial CO USAError Prevention Event Collection (EPEC) Documents have been beneficial to the ULA Organization in many ways by providing multiple methods to augment current ULA Error Prevention Processes and share Lessons Learned throughout the ULA Organization EPEC Documents are stand alone documents that provide ULA Personnel with categorized sets of Event information that can be used to augment Preventive Analysis Reactive Analysis and Collective Analysis processes Events included in the EPEC Documents have been ldquoclosedrdquo through the ULA Error Prevention Process This means that they have completed the Causal Analysis Corrective Action Board and Error Prevention Council processes Upon Event closure the ldquoAll Itemsrdquo Database is populated with Event information and the applicable Event EPEC Categories Then the ldquoAll Itemsrdquo Database automatically sorts Event entries into ldquoCategoryrdquo Databases There is one ldquoCategoryrdquo Database for each EPEC Category Each ldquoCategoryrdquo Database provides the Error Prevention Team with a unique link (URL) Finally an EPEC Document is created for each ldquoCategoryrdquo Database that provides users with instructional use a link (URL) to the associated Event information and additional Error Prevention Tools Additional improvements applications and benefits will continue to be explored as it relates to the EPEC Documents

WEdnEsday 081413 aM ExEtEr huMan FaCtors ii Chair Flint

Development of Education Program Integrating Flight Safety and Psychological StressQingfeng Liu MPsy Yanyan Wang DE Xin Liu Wei Bai Xinsheng Guo Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaFlight safety is an important occupational stressor in aviation According to mishap chain theory occupational stress has disadvantage on flight safety Life events is a routine item of aircraft accident investigation in many countries A lot of pilots involved in accidents suffering from life events In order to acquire ideal effect flight safety education must be incorporated with psychology Education program

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

41

combining flight safety and psychological stress was developed by summarizing relative psychological factors of aviation risk perception The program include three sections which are psychological measurement relative to safety and results feedback education of representative risk scene in aviation occupation stress management Aviation safety locus of control scale and hazardous aviation attitude questionnaire were used to evaluate risk pattern The results were feedback to pilots to improve the self-knowledge Representative risk scene was based on five hazardous attitude theory Fifteen cases were developed and the hazardous attitude pattern in each case were analyzed In occupational stress management program life events and other stressors in aircraft accident were analyzed to teach the pilots stress management skills The program can be applied to improve flight safety and mental health of pilots

Research on Evaluation Index and Method of CRM Dynamic TrainingYanyan Wang MD Xin Liu Wei Bai Xinsheng Guo Qingfeng Liu MPsy Xiaochao Guo DPsy Department of Aviation Psychology and Ergonomics Beijing Institute of Aviation Medicine Beijing ChinaThe capabilities of crew resources management (CRM) directly relate to flight safety as well as run through the whole process of flight tasks but there are still no indicators and methods for the dynamic management and assessment of crew resources in China currently In this study theoretical system of CRM and pilotrsquos behavior characteristics of dynamic CRM were developed based on AC-121-FS-2011-41 crew resource management training and by analyzing the influential factors thus eventually the dynamic assessment training indicators and methods of crew resource management were formed The reliability and effectiveness of the indicators and methods have been validated through LOFT training in simulator The results can used as the basis of assessment on CRM during flight training which is helpful to improve the CRM capabilities of double drive system

Human Reliability Analysis for Detection and Suppression Activities in Response to Fire EventsFrancisco Joglar PE PhD Erin Collins Hughes Associates Inc Baltimore MD USAThe fire protection response in selected facilities is characterized by ldquomanualrdquo activities That is facility personnel are trained to immediately react after fire detection not only to announce the fire event throughout the facility using the communication systems but to also suppress the fire as quickly as possible Contrary to fixedautomatic fire detection and suppression systems which can be characterized by component (ie hardware) reliability and availability techniques ldquomanualrdquo detection and suppression activities need to be characterized using human reliability analysis (HRA) HRA offers a rigorous process for evaluating the feasibility and reliability of human actions and helps identify fire scenarios where the available detection and suppression capabilities may need to be improved The Probabilistic Risk Assessment (PRA) described in this paper involves an integration of an event tree analysis and HRA which includes treatment of the following detection and suppression activities Prompt detection and suppression Rapid detection and suppression and Fire brigade suppression

WEdnEsday 081413 pM BErklEy saFEty topiCs Chair gauthiEr

Introducing Safety Assurance Influenced Design of Health IT SystemsGeorge Despotou BEng MSc PhD CEng Matthew Luckcuck Tim Kelly PhD Richard W Jones PhD Department of Computer Science University of York York United KingdomThere has been an increasing use of IT in healthcare aiming to improve the healthcare quality as well as safety delivered to patients IT can contribute to improvement on meeting the performance targets of hospitals by offering functionality for the management of patients

However erroneous use of health IT may pose a risk to the patient Safety engineering techniques are a crucial element of medical systems This has been apparent in medical devices (eg pacemakers) for which there organised efforts for international standards Recently there have been attempts to systematise and standardise the safety analysis of health IT systems with examples such as the UK National Health Service standards asking for a safety case that any IT systems are safe

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

42

The paper describes the safety challenges of health IT systems and the safety engineering concepts introduced by the standards to address them Furthermore the paper examines safety and data intensive systems describing the safety analysis of an electronic prescription application including examples of software tactics that can contribute to safety and how these (tactics) can be used to provide assurance to the final safety case of the system

How Complex Systems Fail-I Decomposition of the Failure HistogramRichard R Zito PhD Richard R Zito Research LLC Tucson AZ USAPeterson and Arellano (2002) have shown in a seminal paper published in Reliability Review that in general the defect rate (failure rate) of software modules usually varies with time according to a Rayleigh distribution However the failure rates observed in the ldquotailsrdquo (large values of time) are higher than those predicted by the Rayleigh model And the failure histograms (failure rate vs time) of some data sets do not seem to fit the Rayleigh model very well at all Furthermore software failure rates observed in the field after development follow an exponential decay law How are all these difficulties to be resolved This report will take the PetersonArellano analysis one step further A unified theory of failure rates will be presented that removes the paradoxes of the simple Rayleigh model It will be shown that the behavior of real-world complex systems (hardware or software) can be understood in terms of multiple Rayleigh failure rate laws one for each subsystem such that the modes of these Rayleigh distributions have values that are themselves distributed according to a probability density function law

WEdnEsday 081413 pM ClarEndon risk assEssMEnt Chair karEdEs

Quantitative Risk Assessment in Aviation Safety Risk ManagementJohn Hewitt Joan Pham PhD Sikorsky Aircraft Corporation Stratford Connecticut USAThe aviation safety risk management process is shifting from a qualitative approach toward predictive Quantitative Risk Assessment (QRA) based on Life Data Analysis The mathematical computations of QRA are complex and can be intimidating but the basic elements and interpretation are fairly understandable so even non-mathematicians working in safety can benefit from understanding the process This paper presents a stepwise approach for performing a QRA and includes a case study lessons learned and a review of current aviation policy including FAA Order 8110107 which introduces the Monitor SafetyAnalyze Data process

thursday 081513 aM BErklEy spaCE systEMs Chair durMaz

Using the System Safety Management Plan To Effectively Implement Air Force Orbital Safety PolicyLan X Dang BSCE1 Myles P Moran BSME2 Tyrone Jackson BSEE1 (1)System Safety Space and Missile Systems Center El Segundo CA USA (2)Space amp Missile Center US Air Force Los Angeles CA USAA common issue among several AF satellite acquisition program offices is insufficiency of their Orbital Safety efforts An example one satellite contractorrsquos orbital risk assessment is limited to potential collisions between man-made objects The scope of AF Orbital Safety policy is collectively defined in AFI 91-202 AFSPCSUP1 91-217 and 63-101 AF program offices are required to comply with AFI policies AFIs donrsquot generally apply to the contractor except as implemented through the contract Often program offices impose AF Orbital Safety policy on contractors through contractual tailoring of MIL-STD-882E or a prior version One might assume that by having two sets of requirements AFIs for program offices and MIL-STD-882-Tailored for contractors full compliance with AF Orbital Safety policy should be achieved every time However AF satellite acquisition history has shown this assumption to be false Eight areas of Orbital Safety risk must be addressed in order for the contractorrsquos System Safety Program to comply with AFI policy These risk areas should be identified in the program officersquos SSMP and addressed in the contractorrsquos SSPP This paper answers the question ldquoHow should the SSMP be tailored to aid the program officersquos enforcement of AF Orbital Safety policyrdquo

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

43

Tailoring of MIL-STD-882E for Space Systems AcquisitionsFrancis G McDougall BS Physics Naval Post-Graduate School (NPS) Master System Engineering System Safety Center SMCSE El Segundo CA USA Tyrone Jackson BSEE System Safety Space and Missile Systems Center El Segundo CA USASpace and Missile Systems Center (SMC) has tailored MIL-STD-882E for space systems acquisitions addressing development acquisition fielding sustainment decommission and disposal of systems subsystems end items and services during the entire space system lifecycle to support Operational Safety Suitability and Effectiveness (OSSampE) of warfighter capability needs Tailored MIL-STD-882E will be cited in SMC contract Statements of Work (SOW) of new acquisitions to specify the system safety requirements that are applicable to the acquisition of space systems or space system of systems (SoS) which may include space vehicles upper-stage vehicles injection stages satellite payloads reentry vehicles launch vehicles or ballistic vehicles ground control systems and user equipment systems SMC-tailoring outlines the SMC standard practice for conducting system safety which conforms to DoDI 500002 AFI 63-101 (now AFI 63-10120-101) AFI 91-202_ AFSPC SUP_I and SMCI 91-201 (formerly SMCI 63-1205) and provides a consistent process of evaluating and mitigating identified risks The MIL-STD-882E tailoring instruction provides the process to appropriately manage mishap risks from system concept through disposal describing tasks and activities required to execute a viable system safety program that include risk acceptance package development hazard tracking mishap risk disposition and mishap investigation

Cryogenic Safety for Space Launch Vehicles During Ground OperationsSrinath Iyengar System Safety United Launch Alliance Highlands Ranch CO USAUnited Launch Alliance launches Atlas V and Delta IV from Cape Canaveral and Vandenberg Air Force launch facilities Liquid hydrogen and liquid oxygen are the primary cryogenic propellants for these launch vehicles Large quantities of these propellants are stored on the launch site Cryogenic propellants present leak fire and explosion hazards throughout their handling starting from the time the commercial transport trailers enter the launch pad through storage tank filling propellant transfer to launch vehicle and prelaunch operations till liftoff Range Safety regulations provide safety requirements for hardware software and operations to ensure safety throughout the ground processing This paper will examine each stage of the ground processing for space launch the applicable safety requirements and discuss how the requirements are applied Some examples are DOT requirements for trailers ASME code requirements for storage tanks location of the storage tanks testing and periodic recertification of cryogenic systems relief devices and disposal of cryogens through proper vents Propellant transfer to launch vehicle is performed remotely after the personnel are cleared using safety critical software Personnel are cleared during the most hazardous periods but safety precautions are needed at all other times when they are required in the area

thursday 081513 aM ClarEndon WEapons saFEty Chair southWiCk

Security Critical Software mdash the Necessary Frontline Defense of System Safety in Todayrsquos Dangerous Nuclear AgeShowkat S Alborzi PhD Strategic Systems Programs - Fleet Ballistic Missiles Washington Navy Yard VA USATodayrsquos political landscape the arbitrary abandonment of non-proliferation of nuclear weapons by several rogue member nations and the near-limitless access to sensitive information on the Internet compel usmdash the safety engineers to partner and integrate with the system security to provide protection for our critical assets In this endeavor software security becomes the frontline defense to system safety This paper intends to explore this integration and unveil some of the security critical software that can serve as the first line of defense for preserving the safety critical features of our weapons systems

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

44

Origin of Test Requirements and Passing Criteria for the Qualification of PyrotechnicsJohn C Adams BME Booz Allen Hamilton Arlington VA USA Ken Tomasello BSChE Navy NOSSA Indian Head MD USAThe development of explosives requires a rigorous regimen of tests both small-scale and large-scale before explosives can be judged safe and suitable for service use The US Department of Defense (DoD) requires that all energetic materials be Qualified and Final (Type) Qualified in accordance with NATO STANAGs 4170 and 4439 with guidance provided in the associated AOP-7 and AOP-39 for implementing policy Questions are often raised during program development and reviews as to the origin and applicability of tests and passfail criteria required by the military services This paper is the result of a review of historical documents including many documents detailing early European explosive history We define the term Qualification as used originally and attempt to put in perspective the purpose of test requirements and any associated passfail criteria Our goals are to put the qualification of explosive in a historical context and to stimulate discussion within the energetic material community as to the validity of these requirements in our current work environment This paper the fourth in a series will only address Qualification requirements for pyrotechnics It explores each test and examines the genesis of the test requirements and passfail criteria

A Safety Analysis Approach to Science amp Technology and Quick Reaction Capability Weapon System ProjectsNga Pham MS SE Gunendran Sivapragasam MBA SE Combat System Safety Branch Naval Surface Warfare Center Dahlgren Dahlgren VA USAA Science and Technology (SampT) and Quick Reaction Capability (QRC) weapon system project has different characteristics from a traditional weapon system acquisition program Short development time insufficient or missing documentation and requirements and frequent design changes are among those characteristics unique to these programs

While safety analysis for traditional weapon acquisition programs is well established and practiced regularly in the Navy the safety analysis for SampT and QRC projects warrants a different approach That approach aims to achieve two objectives (1) provide a sufficient safety analysis for a weapon system in the SampT phase and (2) lay down the groundwork with analysis that can be built upon for the same weapon system if it becomes an acquisition program of record in the future

The paper describes how that approach was formulated and applied to an SampT and QRC project

thursday 081513 aM dartMouth hazard idEntiFiCation Chair olivEr

Closing the Gaps in System Safety CoverageSeet Ting Siow Management Systems amp Processes ST Kinetics Singapore SingaporeWe often asked ourselves why accidents or mishaps happened even when the system safety methodology and assessments were in place Accidents happened due to many possible causes There could be lapses in the safety integrity of the system or a combination of human events and system interactions in an

unique situation (as described by the Swiss Cheese Model) or even unknowns that a system could be capable of functioning in a hazardous manner

This paper discusses some of the situations that were faced in the journey of practicing system safety It attempts to classify the areas of concern where gaps in the system safety process could exist and explores ways to minimize these gaps thus improving the practices in system safety There are 4 areas of concerns highlighted in the paper

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

45

Interfaces Prototype Tests amp Trials Maintenance amp Disposal and Human Error By identifying the gaps in these 4 areas the author explores and proposes mitigation measures that could possibly close the gaps and improve the overall safety coverage in developing a new system or product

Certification of Safety Products in Compliance with Directives Using the CER and CoVeR MethodsThor Myklebust Sr Cand scient System Safety SINTEF Trondheim NorwayCertification of products according to IEC 61508 and European directives implies a certification process that involves a Certification Body for certification according to IEC 61508 a Notified Body for certification according to relevant EU directives and a Manufacturer

Experience has shown that to deliver the product in time and to be cost-effective it is very important that the Manufacturer and the Certification and Notified Body agree about basic principles concerning the plans contents traceability and quality of the documentation to be developed by the Manufacturer and used by both the Certification and Notified Body as evidence

This paper presents the CoVeR method that has been developed by SINTEF to ensure that all applicable requirements are covered The method includes a Certification Plan Conformity Verification Specification and a Conformity Verification Report for conformance to the EU directives and a Conformity Evidence Report for conformance to IEC 61508 This ensures a good start that costs are minimized time to markets reduced that the certification process is complete and well documented and that update of the certificates require less work The certification experiences to date show that many of the problems with conventional methods are improved

Design with Safety EyeBarış Berk Erdem MS Pinar Aydin MSSpeciality Engineering Group Turkish Aerospace Industries Ankara TurkeyDeriving safety requirements in the early stages of the design is one of the most important key factors to conduct a successful development process for any project As well-defined correct consistent and complete safety requirements improve and guide the design to perfect levels with minimum effort defective inconsistent and incorrect safety requirements may lead to unsuccessful overweighted and overcost designs In this paper ways and advantages of deriving qualified safety requirements in early stages of the design will be discussed via examples Safety requirements are derived using the results of the safety assessments based on the consequences of functional failures But quality of safety assessments are based on maturity of the design and also as the design matures it is hard to change and implement the changes thus causes a dilemma At the early stages of design working with safety specialists more experienced better educated and familiar to similar projects provide great contributions Also safety perspective throughout the design team makes it easy to derive valuable safety requirements and gain these requirements to the product In summary as the design progress the only way to overcome schedule and cost pressure is cooperation of all design team with a safety perspective

thursday 081513 pM BErklEy aErospaCE soFtWarE Chair BEEChEr

Making the Implicit Explicit Towards an Assurance Case for DO-178CC Michael Holloway NASA Langley Research Center Hampton VA USAFor about two decades compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes A new edition of the standard DO-178C was published in December 2011 and regulatory bodies have started the process towards recognizing this edition The stated purpose of DO-178C remains unchanged from its predecessor providing guidance ldquofor the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirementsrdquo Within the text of the guidance little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose Thus the assurance case for the document is implicit This paper discusses a current effort to make the

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

46

implicit explicit In particular the paper describes the current status of the research seeking to identify the specific arguments contained in or implied by the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Uncertainty and Confidence in Safety LogicPatrick J Graydon Postdoctoral Research Fellow School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenReasoning about system safety requires reasoning about confidence in safety claims For example DO-178B requires developers to determine the correctness of the worst-case execution time of the software It is not possible to do this beyond any doubt Therefore developers and assessors must consider the limitations of execution time evidence and their effect on the confidence that can be placed in execution time figures timing analysis results and claims to have met timing-related software safety requirements In this paper we survey and assess existing concepts that might serve as means of describing and reasoning about confidence including safety integrity levels probability distributions of failure rates Bayesian Belief Networks argument integrity levels and Baconian probability We define use cases for confidence in safety cases prescriptive standards certification of component-based systems and the reuse of safety elements both in and out of context From these use cases we derive requirements for a confidence framework We assess existing techniques by discussing what is known about how well each confidence metric meets these requirements Our results show that no existing confidence metric is ideally suited for all uses We conclude by discussing implications for future standards and for reuse of safety elements

Initial Safety Analysis for Integration of the Unmanned Aerial Systems into the National Airspace SystemEric Yang PhD Richard Y Xie PhD Arash Yousefi PhD Metron Aviation Inc Dulles VA USAAs demand for military civilian and commercial Unmanned Aircraft Systems (UAS) increases the Federal Aviation Administration (FAA) is planning to fully integrate the UAS operations into the National Airspace System (NAS) Safety modeling and analysis is needed to evaluate the conformance of an integrated system to the target level of safety that is set by the International Civil Aviation Organization (ICAO) The safety evaluation should consider various technology options for collision avoidance and different aircraft performance characteristics

In this paper we adapt a previously developed safety modeling framework Safety Analysis Tool for Advanced Airspace Concepts (SafeATAC) to represent the integration of UAS into the NAS and evaluate the risks for different operational scenarios and technology alternatives More specifically we use the SafeATAC framework to model and assess the risks associated with incompatibility of sense-and-avoid systems between different types of UAS incompatibility of sense-and-avoid systems of UAS and Tactical Collision Avoidance Systems (TCAS) of manned aircraft loss-link procedures in the UAS and the UAS loss of communication with air traffic control The findings of this study provides insight into potential risks of UAS integration and may support development of concept of operation establishing minimum performance standards and developing required safety nets

thursday 081513 pM ClarEndon puBliC saFEty ii Chair laaBs

Integrating System Safety and Emergency ManagementTerry L Hardy Great Circle Analytics LLC Denver CO USASystem safety is an engineering and management discipline used to analyze hazards evaluate risk and design the system to eliminate conditions that can lead to an undesired consequence Emergency management is an ongoing process to prevent mitigate prepare for respond to and recover from an incident that threatens life property operations or the environment Both system safety and emergency management are essential to creating resilient systems Optimally system safety and emergency management efforts will be integrated and personnel with expertise in these disciplines will work together to identify hazards assess risks identify approaches that reduce risk and create effective responses to emergencies However in many organizations these functions are organizationally

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

47

separated with little interaction or personnel are assigned these tasks without appropriate knowledge and training Therefore organizations may not be taking full advantage of the skills experience and insights that trained personnel from each of these disciplines have to offer Basic concepts in system safety and emergency management are described with examples of how these disciplines might collaborate to improve safety Real-world examples of the consequences of system safety and emergency management failures are presented to illustrate the necessity of this interaction

Safety in Deepwater Well Containment OperationsDerek A Robins BS Safety MS Systems Management CSP CFPS HSE Marine Well Containment Company Houston TX USAFollowing the Deepwater Horizon incident ExxonMobil Chevron ConocoPhillips and Shell recognized the need to improve well containment response capabilities in the case of a potential deepwater well control incident in the US Gulf of Mexico

This led to the formation of Marine Well Containment Company (MWCC) an independent company which would develop maintain and advance well containment systems for the deepwater US Gulf Following formation MWCC gained six additional members Anadarko Apache BHP Billiton BP Hess and Statoil In February 2011 MWCCrsquos interim containment system (ICS) was made available for use the system provides the capability to shut in a well or if necessary flow the fluids to the surface for processing and storage

The proposed paper would provide an overview of MWCC its ICS and Expanded Containment System (ECS) which will provide greater capacity and capability to control a well as well as an overview of the safety aspects of maintaining and deploying these systems This includes our approach for working with member companies on hazard identifications to establish a baseline and on areas for continuous improvement to our safety systems

The current system is being maintained in a state of readiness which will be addressed in this paper

WHAT ARE YOUR STRENGTHS AS AN ENGINEER

ldquothinking system-widerdquo ldquoproviding in-depth analysis of the latest technologiesrdquo ldquosolving real-life problemsrdquo

ONLINE MASTERrsquoS DEGREES

- RELIABILTY ENGINEERING- PROJECT MANAGEMENT- NUCLEAR ENGINEERING- SUSTAINABLE ENERGY- ENERGETIC CONCEPTS- FIRE PROTECTION ENGINEERING

LEARN MOREwwwadvancedengineeringeduissc

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

48

A Taxonomic Analysis on Chinese Special Equipments ldquoYinhuanrdquo in SupervisionYunxiao Fan Dr Associate Professor Yun Luo Professor Ming Lu Master School of Engineering and Technology China University of Geosciences (Beijing) Beijing ChinaBureau of Special Equipment Supervision (BSES) is an in-house department of General Administration of Quality Supervision Inspection and Quarantine of the Peoplersquos Republic of China (AQSIQ) The bureau is responsible for administering and supervising special equipments to ensure their safety in worksite Special equipments in China include boilers pressure vessels elevators lifting appliances passenger ropeways large amusement devices and automobiles In recent years the rapid increase in numbers and types of special equipments has brought BSES increasing stress on special equipments regulation As government supervision organization BSES try to explicit inspect tasks of different supervision level efficiently and improve safety management performance based on the view of risk This research is the first task in the project which aims to identify yinhuans in special equipment supervision in taxonomy approach for further ranking them through risk assessmentBased on nonconformity and 4 elements in the accident causation model this research defined yinhuans of special equipments in China and built yinhuan taxonomic analysis structure This research identified nonconformities from related regulations standards procedures etc and identified 830 yinhuans of 8 type special equipments

thursday 081513 pM dartMouth hazardrisk ManagEMEnt ii Chair kniEss

Towards Automatic Verification of Safety Properties in AADL System ModelsStefan Bjoumlrnander MSc1 Patrick J Graydon PhD2 Rikard Land PhD1 (1) Maximatecc Vaumlsterarings Sweden (2) School Of Innovation Design and Engineering Maumllardalen University Vaumlsterarings SwedenIn some domains standards such as ISO 26262 or the UK Ministry of Defencersquos Defence Standard 00-56 require developers to produce a safety case As the safety case for a complex system can be rather large automated verification of all or part of it would be valuable

We have approached the issue by designing a method supported by a framework including analysers for safety cases defined in the Goal Structuring Notation (GSN) and systems modelled in the Architecture Analysis and Design Language (AADL) In our approach the safety case predicates are defined in a subset of the functional language Meta Language (ML)

Our approach facilities formalising some parts of a typical safety argument in an ML-like notation enabling automatic verification of some reasoning steps in the safety argument Automatic verification not only justifies increased confidence it can ease the burden of re-checking the safety argument as it (and the system) change

Using Lean Six Sigma Techniques to Determine if a Process is in Control with Respect to Error EventsJames E Allison System Safety United Launch Alliance Centennial CO USA Elie Jerdak Quality United Launch Alliance Centennial CO USAUnited Launch Alliance (ULA) believes error reporting is the corner-stone of an effective Error Prevention program ULA recognizes every error (referred to by ULA as Events) as a potentially valuable learning opportunity and encourages all ULA employees to participate in voluntary Event disclosure ULA has freely reported documented and shared Event data since 2007 and analysis confirms Event severity and cost have steadily declined during this period

In 2012 ULA experienced an elevated number of transportation related Events in a relatively short time period Logically the question ldquoare these processes out of controlrdquo was asked

This paper describes how ULA applied the Statistical Quality Control P-Charting technique to determine if associated processes were in statistical control with respect to errors

This paper concludes The Statistical Quality Control P-Charting technique can be applied to Event data bull Statistical Quality Control P-Charting analysis indicates processes were ldquoin controlrdquo with during the bull period of this study

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

49

Reliability Allocation Prediction FMECA Fault Tree Analysis Event Tree Analysis Markov

Reliability Workbench

wwwisograph-softwarecom

Isograph SoftwareWorld Leading Reliability Availability and Maintenance Software

Reduce Labor amp Spares Costs Increase uptime and output Seamless integration with SAP and Maximo

Availability Workbench

Even though statistical analysis tools demonstrated ULArsquos processes were ldquoin controlrdquo ULA continues to pursue a ldquoZero Defectsrdquo objective That is ULA does not accept errors as an inevitable side effect of business Rather ULA strives to eliminate all errors

Leading Indicators in Aviation OperationsRobert W Fletcher PMP PEng MSc Robert Fletcher System Safety Inc Ottawa ON Canada Ioannis M Dokas PhD CEng Civil Engineering Democritus University of Thrace Xanthi GreeceSince September 11 2001 system safety and security has been of great concern in aviation operations and many resources have been committed to maintaining acceptable levels of risk Leading indicators based on the timely capture of significant sets of data can be used to provide warnings of changes in risk levels Traditionally hazard and threat analyses methods have been applied retroactively Current security and safety methodologies encourage the development of systems that are proactive and predictive This paper will describe how the STAMP Based Process Analysis (STPA) can be used to identify warning signs and leading indicators to reduce the likelihood of catastrophes accidents and incidents The objective is to show the feasibility of establishing in airports system safety and security monitoring stations that use hazard and threat data from airlines air navigation systems and airports to assess and predict changing levels of risk

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

50

SatUrdaysss executive Council meeting 1200 - 500pm Tremont Room

SUndaysss executive Council meeting 800am - 500pm Tremont Room

mondayspeakersrsquo Breakfast 630 - 800am Simmons Room

Opening Ceremoniesgeneral session 130 - 330am Salons A-E 50th Celebration Speaker Rex B Gordon MPH PE CSP Fellow Member Emeritus

Keynote Speaker James P Keller Jr MS ECRI Institute

tUeSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

sponsorexhibitor luncheon 1130am - 120pm Salons A-E Speaker Dr Nancy Leveson Massachusetts Institute of Technology

sponsor amp exhibitor reception 630 - 830pm Gloucester Room

WedneSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

international luncheon 1130am - 120pm Salons A-E Speaker Dr John McDermid The University of York UK

Wolfgang Puck Dinner amp lightning show at the museum of science 630 - 1000pm Be in the hotel lobby at 600pm

thUrSdayspeakersrsquo Breakfast 630 - 800am Simmons Room

awards luncheon 1130 - 120pm Salons A-E

Fridayspeakersrsquo Breakfast 630 - 800am Simmons Room

Best Papers Presentations 800 - 1120am Dartmouth Room

sPeCial fUnCtiOns

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

51

32nD internatiOnal system safety COnferenCe4-8 aUGUSt 2014 middot St LoUiS mo

St LoUiS Union Station marriott hoteL

32N

D I

NTE

RNATIO

NAL SYSTEM SAFETY CONFER

ENC

E

ST LOUIS MISSOURI middot AUGUST 4-8

201

4

SAFETYGATEWAYTO

Local attractionsGateway Arch Riverfrontbull Missouri History Museumbull Museum of Transportationbull St Louis Cardinalsbull St Louis Symphonybull St Louis Union Stationbull St Louis Science Centerbull The Contemporary Art Museum St Louisbull Bissell Mansion Restaurant and bull Dinner TheaterMissouri Botanical Gardens bull Laumeier Sculpture Parkbull Anheuser-Busch Brewerybull Kemp Auto Museumbull

Schlafly Bottleworksbull Fox Theaterbull Purina Farmsbull Meramec Cavernsbull Lacledersquos Landingbull City Museumbull Magic Housebull Grantrsquos Farmbull St Louis Zoobull Delmar Loopbull Forrest Parkbull Harrahrsquosbull Six Flagsbull

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

52

aBOUt the system safety sOCietyThe System Safety Society is a non-profit organization of professionals dedicated to the safety of systems products and services through the effective implementation of the system safety concept Under this concept appropriate technical and managerial skills are applied so that a systematic forward-looking hazard identification and control function becomes an integral part of a project program or activity at the planning phase and continues through the design production testing use and disposal phases

The Societyrsquos ObjectivesTo advance the art and science of system safetybull To promote a meaningful management and technological understanding of system safetybull To disseminate advances in knowledge to all interested groups and individualsbull To further the development of the professionals engaged in system safetybull To improve public understanding of the system safety disciplinebull To improve the communication of system safety principles to all levels of management engineering bull and other professional groups

System Safety Society Inc PO Box 70 Unionville VA 22567-0070wwwsystem-safetyorg email systemsafetysystem-safetyorg

PointS oF contactOfficersRobert Schmedake Presidentrobertaschmedakeboeingcom

Dr Rod Simmons Executive Vice Presidentrodsimmonsmecom

Dr Matt Johnson Executive Secretarymjohnsonstaudertechcom

Pam Kniess Treasurerpamkniessgmailcom

Gary BramanImmediate Past Presidentgbramansikorskycom

DirectorsGerry Einarsson Chapter Serviceseinargkrogerscom Lynece Pfledderer ConferencesLynecepfleddererlmcocom Dr Chuck Muniak Education amp Professional Developmentcmuniakstevensedu

Debbie HaleGov amp Intersociety Hale0324hotmailcom Robert Fletcher International Developmentrwfletchersympaticoca

Melissa Emery Member Servicesmemeryapt-researchcom Steve Mattern Mentoring RampDsmatternbastiontechnologiescom

Saralyn DwyerPublicity amp Mediasdwyerapt-researchcom

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

53

chaPterSTennessee Valley Chapter AL Don Swallom swallomisss-tvcorg

Saguaro Chapter AZ Amanda Boysun 520-794-5487 AmandaBoysunraytheoncom

Bay Area Chapter CA Graham Murray 408-756-2674 grahamtmurraylmcocom

Central California Chapter CA Kathleen Brenna KathleenBrenna1usafmil

Sierra High Desert Chapter CA Jerry Banister 760-377-4690 safetycitadelearthlinknet

Southern California Chapter CA Francis McDougall 310-653-1309 francismcdougallusafmil

Colorado Chapter Terry Foppe 303-915-8353 terryfoppecomcastnet

Georgia Chapter Terry Gooch 770-494-3527 terryjgoochgmailcom

Winners Circle Chapter KYIN Marc Bever 812-854-1351 Marcbevernavymil

Twin Cities Chapter MN Bill Blake 763-744-5086 billblakeatkcom

New England Chapter Alan E Southwick 401-842-2067 Alan_E_Southwickraytheoncom

Northeast Chapter Scott Beecher scottbeecherPWutccom

New Mexico Chapter NM William (Bill) Harwood williamharwoodmdamil

Houston Chapter TX Derek Robins 281-335-2011 derekrobbinsmwcc-usacom

North Texas Chapter TX Frank Rinaldo 817-762-3075 frankrrinaldolmcocom

Washington DC Chapter Sean Peters seanpetersurscom

Virtual Chapter Doanna Weissgerber 408-289-4407 DoannaWeissgerberbaesystemscom

International ChaptersAustralia Chapter Dr Holger Becht +61 (0)7 3868 9243 holgerbechtrgbassurancecomau

Canada Chapter Maury Hill 613-220-0533 Mauryhillrogerscom

Israel Chapter Haim Kuper 972-4-8315044 haimkuperelbitsystemscom

Singapore Chapter Ten Lin Mei tlinmeidsoorgsg

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

54

nOtes

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

ProgramISSC2013

55

nOtes

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

56

nOtes

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3

31st issC lunCheon Menu

tuesday august 13

New England Clam Chowder

Grilled Sirloin Shiitake Mushroom Risotto Seasonal Vegetables Port Wine Reduction

Key Lime Tart in a Hazelnut Crust Blackberry Pate de Fruit

Wednesday august 14

Asian Inspired Salad

Teriyaki Chicken Coconut Rice Seared Bok Choy

Triple Chocolate Tower White Dark and Milk Chocolate Mousse Towering atop Devilrsquos Food Cake Ganache and Berry Sauce

thursday august 15

Ceaser Salad

Ricotta and Manchego Torteloni Sweet Italian Sausage Broccolini Artichoke Roasted Tomato Pesto Butter Sauce

White Chocolate and Blood Orange Torte

ProgramISSC2012

3