Showing papers on "System safety published in 2000"

Infrastructure for intrusion detection and response

Abstract: Automated response to intrusions has become a major issue in defending critical systems. Because the adversary can take actions at computer speeds, systems need the capability to react without human intervention. An infrastructure that supports development of automated response systems is critically needed. This infrastructure must allow easy integration of detection and response components to enable experimentation with automated response strategies. This paper provides an overview of the intruder detection and isolation protocol (IDIP) architecture and how it supports the need for an intrusion detection and response infrastructure.

Safety systems for power equipment

Abstract: A saw with a safety system is disclosed. The safety system includes a detection system adapted to detect contact between a person and a blade while the blade is moving. The safety system further includes a brake system adapted to engage the blade and to stop the blade when the detection system detects contact between the person and the blade.

Safety Management: Problems Encountered and Recommended Solutions

Abstract: The philosophy of safety management is a relatively new method of controlling safety policies, procedures, and practices within a company This philosophy is currently being implemented by many construction companies to limit their liabilities and costs, thereby making them more competitive in the construction marketplace While the principles behind safety management are fairly simple in concept, it is during the implementation of such a program that construction companies may encounter their most difficult obstacles In fact, it is often the workers who present the greatest opposition—the same individuals who benefit the most by improved safety conditions on the site Safety management is a dynamic process operating in a constant state of change Therefore, the process must be constantly monitored and adjusted to achieve the desired goals This paper presents a discussion of the methods of safety management employed on a small-to medium-sized project in the northwestern United States The discussion wil

A System-Safety Process For By-Wire Automotive Systems

Abstract: Steer-by-wire and other “by-wire” systems (as defined in this article) offer many passive and active safety advantages. To help ensure these advantages are achieved, a comprehensive system-safety process should be followed. Here we review standard elements of system safety processes that are widely applied in several industries and describe the main elements of our proposed analysis process for by-wire systems. The process steps include: 1) creating a program plan to act as a blueprint for the process, 2) performing a variety of hazard analysis and risk assessment tasks as specified in the program plan, 3) designing and verifying a set of hazard controls that help mitigate risk, and 4) summarizing the findings. Vehicle manufacturers and suppliers need to work together to create and follow such a process. A distinguishing feature of the process is the explicit linking of hazard controls to the hazards they cover, permitting coveragebased risk assessment.

Policy-directed code safety

Abstract: Executing code can be dangerous. This thesis describes a scheme for protecting the user by constraining the behavior of an executing program. We introduce Naccio, a general architecture for constraining the behavior of program executions. Naccio consists of languages for defining safety policies in a platform-independent way and a system architecture for enforcing those policies on executions by transforming programs. Prototype implementations of Naccio have been built that enforce policies on JavaVM classes and Win32 executables. Naccio addresses two weaknesses of current code safety systems. One problem is that current systems cannot enforce policies with sufficient precision. For example, a system such as the Java sandbox cannot enforce a policy that limits the rate at which data is sent over the network without denying network use altogether since there are no safety checks associated with sending data. The problem is more fundamental than simply the choices about which safety checks to provide. The system designers were hamstrung into providing only a limited number of checks by a design that incurs the cost of a safety check regardless of whether it matters to the policy in effect. Because Naccio statically analyzes and compiles a policy, it can support safety checks associated with any resource manipulation, yet the costs of a safety check are incurred only when the check is relevant. Another problem with current code safety systems is that policies are defined in ad hoc and platform-specific ways. The author of a safety policy needs to know low-level details about a particular platform and once a safety policy has been developed and tested it cannot easily be transferred to a different platform. Naccio provides a platform-independent way of defining safety policies in terms of abstract resources. Safety policies are described by writing code fragments that account for and constrain resource manipulations. Resources are described using abstract objects with operations that correspond to manipulations of the corresponding system resource. A platform interface provides an operational specification of how system calls affect resources. This enables safety policies to be described in a platform-independent way and isolates most of the complexity of the system. This thesis motivates and describes the design of Naccio, demonstrates how a large class of safety policies can be defined, and evaluates results from our experience with the prototype implementations. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

A probabilistic (max,+) approach for determining railway infrastructure capacity

Abstract: We consider the problem of determining the capacity of a planned railway infrastructure layout under uncertainties. In order to address the long-term nature of the problem, in which the exact (future) demand of service is unknown, we develop a “timetable”-free approach to avoid the specification of a particular timetable. We consider a generic infra-element that allows a concise representation of many different combinations of infrastructure, safety systems and traffic regimes, such as mixed double and single track lines (e.g., a double track line including a single tunnel tube), and train operations on partly overlapping routes at station yards. We translate the capacity assessment problem for such a generic infra-element into an optimization problem and provide a solution procedure. We illustrate our approach with a capacity assessment for the newly built high-speed railway line in The Netherlands.

Crash control system for vehicles employing predictive pre-crash signals

Abstract: A crash control system for vehicles employs pre-crash surrogate signals to predict a potential crash. The predictive signals may be generated by activation of the vehicle's anti-lock brakes, or by a sensor that detects rate of brake pedal travel indicating panic braking or by advanced radar systems. The pre-crash signals may be used to ready various safety systems on the vehicle, such as chassis and suspension systems, dynamic body systems, interior occupant protection systems and other systems that function to improve vehicle's crash worthiness or assist in improving vehicle stability or control. The pre-crash signals may also be used to modify the normal trigger points of safety systems to improve the timing of their response.

Towards automation of HAZOP with a new tool EXPERTOP

Abstract: An expert system has been developed for automating HAZOP (HAZard and Operability) studies. The system, EXPERTOP (EXPERT system for conducting HAZOP) is capable of performing HAZOP studies at significantly lesser costs and with better accuracy than conventional HAZOP studies. By facilitating automation of HAZOP, EXPERTOP is expected to contribute significantly to the initiatives of the chemical process and other industries in conducting risk assessment. This, in turn, would contribute to an improvement in the production efficiency and, more significantly, risk minimisation of the industries. The latter aspect has assumed ever-increasing significance because frequency of industrial accidents has been increasing over the years as has the extent of damage caused by such accidents.

Optimization of the Surveillance Test Interval of the Safety Systems at the Plant Level

Abstract: Up to now, the optimization of surveillance test intervals (STIs) is performed at the system level. In other words, the STI of a system is optimized considering only the conditions related to that system. For instance, the STI of an emergency diesel generator (EDG) is determined considering only the availability of an EDG and the costs related to the changed STI. However, such an approach can cause problems when the effects of each system's optimized STI are combined. That is, the core damage frequency can increase to a level that cannot be accepted by the regulatory body when the STIs optimized at the system level are all adopted together. In this paper, STIs of the systems are optimized at the plant level based on the simplified probabilistic safety assessment (PSA) model of a pressurized water reactor. The PSA model includes most of the important safety systems. It is a nonlinear and multimodal optimization problem with constraints that it optimizes the STIs of various systems based on the PSA model at the plant level. Most conventional optimization techniques have difficulties in handling such multimodal and nonlinear optimization problems. Therefore, we applied a genetic algorithm to the optimization of STIs. The geneticmore » algorithms guarantee the global optimum and find the solution very effectively. In addition, the fault trees used in PSA have some limitations in representing the real world; i.e., in estimating the unavailability of standby systems and the effects of maintenance strategies. So, the analytical unavailability model is implemented to overcome such limits of the conventional fault tree approach. The analytical unavailability model enables us to accurately estimate the effect of a maintenance strategy on the unavailability of systems. The optimized STIs based on the conventional fault tree and the analytical unavailability model are compared.« less

Safety analysis of vehicle-based systems

Abstract: This article describes guidelines that are being prepared which will focus on software designed for the safety analysis of vehicle-based systems. Topics will include: system analysis, hazard identification hazard analysis, identification of safety integrity levels, and applications of failure mode, effects analysis, and fault tree analysis.

System safety in computer-controlled automotive systems

Abstract: In this paper, the author presents a summary of the state of the art in software system safety. The paper begins with a discussion on different types of accidents encountered in software systems. The role of software in accidents is covered, followed by a discussion on system safety. The author discuss the safeware methodology which extends the basic system safety engineering process to handle digital components and subsystems. The paper concludes with a description of an experimental design and development environment known as Specification Tools and Requirements Methodology (SpecTRM). The focus of SpecTRM is to support the design,implementation and maintenance of complex, safety-critical systems.

Impact of integrated vehicle health management (IVHM) technologies on ground operations for reusable launch vehicles (RLVs) and spacecraft

Abstract: Incorporation of Integrated Vehicle Health Management (IVHM) technologies into launch vehicle and spacecraft designs offers the potential for significant savings in operations costs. IVHM has three basic objectives. First is more autonomous operation in flight and on the ground, which directly translates to reduced workload on the ground controller team through reduction of raw vehicle data into "health summary information." Next is reduced ground processing of reusable vehicles due to more performance of system health checks in flight rather than back on the ground as well as more automated ground servicing and checkout. Lastly is enhanced vehicle safety and reliability due to increased capability to monitor system health using modern sensing systems inside even the harsh environment of an engine combustion chamber as well as through prediction of pending failures. The "integrated" piece of IVHM is the total integration of flight and ground IVHM elements. The three elements of flight IVHM are advanced light weight/low power sensors, extensive real-time data processing and analysis and distributed data acquisition architecture with high-density mass storage. The two elements of ground IVHM are evolved control room architectures with advanced applications and automated ground processing systems. The status of current flight experiments on the Space Shuttle, Deep Space-1, X-33, X-34 and X-37 is presented.

A dynamic safety system based on sensor fusion

Abstract: Machines in industry, including industrial robots, have in many cases dramatically reduced the man-made work and improved the work environment. New machines introduce, however, new risk factors. Traditionally machines are safeguarded by means that more or less rigidly separates the machines from the personnel. This works well in many traditional areas, i.e., where industrial robots are involved. There is however a risk that the safety system limits the valuable flexibility of the robot, which can be considered as a quality that tends to become even more valuable in the progress of programming possibilities and sensor technology. This article shows an example how a safety system can be designed to achieve increased flexibility in co-operation between human and production safety strategy. The proposed safety system is totally based on sensor information that monitors the working area, calculate the safety level and improve the system dynamically, e.g., reduce the robot capability in conjunction to the system safety level. The safety system gain information from the sensors and calculates a risk level which controls the robot speed, i.e., the speed is reduced to achieve a sufficiently low risk level. The sensor data is combined with fuzzy-based sensor fusion and fuzzy rules. The safety system is based on sensor information, hence it automatically adjusts to changes in the guarded area as long as the functionality of the sensors is maintained. Finally, we present a system implementation in an industrial robot application.

Risk and Causes-of-Risk Assessment for an Effective Industrial Safety Management

Abstract: It is widely accepted that progressive improvement of industrial safety is heavily dependent on the introduction of a systematic vision of man{machine{workplace interactions. In this respect, the risk assessment is one of the most critical tasks in the management of industrial safety. The paper presents a risk assessment approach, which uses analytic hierarchy process (AHP) to directly and holistically estimate risk, showing greater flexibility in comparison to traditional methods. In the rst phase (risk assessment), given a work task, the methodology allows to support risk characterization and prioritization of hazards within a hierarchical framework. In the second phase (causes assessment), the proposed methodology supports the influence analysis of the main causes of risk | machine, operator, procedures and environment | providing management with a more rational framework to make decisions and allocate resources devoted to safety improvement actions. The methodology is illustrated with reference to a case study concerning machining operations.

Fault tree and Markov analysis applied to various design complexities

Abstract: This is a conference paper. It was presented at the 18th International System Safety Conference September 11-16 2000, Fort Worth Texas, Radisson Plaza.

Sensitivity analysis for system design improvement

Abstract: In order to help identify suitable design modifications for complex systems, there is a need to (1) determine the weakest elements of the system, (2) identify a better design alternative, and (3) evaluate the effect of the adopted solution on system safety/availability. This is a well-known procedure that is applied to a single system failure mode. In reality, several undesired system states have to be checked for. On the other hand, systems grow in complexity, and components are often multi-functional, so that they could affect several system states concurrently, and even in conflicting terms. This paper presents the sensitivity analysis module of the ASTRA (Advanced Software Tools for Reliability Analysis) package, based on component importance analysis techniques to be applied to all system failure states concurrently. The technique employs fault-tree analysis and Markov processes as the basic probabilistic models.

To not or not to not

Abstract: This is a conference paper. It was presented at the 18th International System Safety Conference September 11-16 2000, Fort Worth Texas, Radisson Plaza.

An Overview of the NASA Aviation Safety Program Propulsion Health Monitoring Element

Abstract: The NASA Aviation Safety Program (AvSP) has been initiated with aggressive goals to reduce the civil aviation accident rate, To meet these goals, several technology investment areas have been identified including a sub-element in propulsion health monitoring (PHM). Specific AvSP PHM objectives are to develop and validate propulsion system health monitoring technologies designed to prevent engine malfunctions from occurring in flight, and to mitigate detrimental effects in the event an in-flight malfunction does occur. A review of available propulsion system safety information was conducted to help prioritize PHM areas to focus on under the AvSP. It is noted that when a propulsion malfunction is involved in an aviation accident or incident, it is often a contributing factor rather than the sole cause for the event. Challenging aspects of the development and implementation of PHM technology such as cost, weight, robustness, and reliability are discussed. Specific technology plans are overviewed including vibration diagnostics, model-based controls and diagnostics, advanced instrumentation, and general aviation propulsion system health monitoring technology. Propulsion system health monitoring, in addition to engine design, inspection, maintenance, and pilot training and awareness, is intrinsic to enhancing aviation propulsion system safety.

Understanding the Use, Misuse and Abuse of Safety Integrity Levels 1

Abstract: Modern standards on system safety employ the concept of safety integrity levels (SILs). Increasing numbers of system purchasers are expecting their suppliers to demonstrate that they use the concept, so system developers are seeking to apply it. But the standards differ in their derivation of SILs and none explains the concept satisfactorily, with the result that it is often misunderstood and used inconsistently, incorrectly, and inappropriately. This paper explains the concept and its application, giving examples of how SILs are derived in three current safety standards. It then shows a number of ways in which the SIL concept is misinterpreted and used misleadingly. Further, it considers the relationship between SILs and risk-tolerability decisions.

Analysis of safety systems with on-demand and dynamic failure modes

Abstract: An approach for the reliability analysis of systems with on demand and dynamic failure modes is presented. Safety systems such as sprinkler systems or other protection systems are characterized by such failure behavior. They have support subsystems to start up the system on demand, and once they start running, they are prone to dynamic failure. Failure on demand requires an availability analysis of components (typically electromechanical components) which are required to start or support the safety system. Once the safety system is started, it is often reasonable to assume that these support components do not fail while running. Further, these support components may be tested and maintained periodically while not in active use. Dynamic failure refers to the failure while running (once started) of the active components of the safety system. These active components may be fault tolerant and utilize spares or other forms of redundancy, but are not maintainable while in use. In this paper, the authors describe a simple yet powerful approach to combining the availability analysis of the static components with a reliability analysis of the dynamic components. This approach is explained using a hypothetical example sprinkler system, and applied to a water deluge system taken from the offshore industry. The approach is implemented in the fault tree analysis software package, Galileo.

Occupational health and safety management systems : system types and effectiveness

Abstract: This thesis develops a framework for evaluating the performance of different types of occupational health and safety management systems. Is shows workplaces with innovative management are better performers, as are workplaces which focus on hazard elimination rather than worker behaviour.

Dynamic safety analysis of process systems with an application to a cryogenic ammonia storage tank

Abstract: A method for calculating the dynamic reliability of safety systems and its application to a refrigerated liquid cryogenic ammonia storage tank is presented. The method is based on the theory of Markov chains and can model dynamic phenomena of the process and its safety systems. It offers the capability of modelling realistically the competing process of repairing failed safety systems and the exceeding of safe limits by some critical physical parameters of the process. The results of the Markovian analysis are compared to those of the classical Fault Tree/Event Tree methods and it is shown that the proposed method offers a substantial improvement over the classical approach. The probability of failure from overpressure of a cryogenic ammonia storage tank depends in general on the level of the ammonia in the tank at the time of accident initiation. Assuming a uniform distribution for the ammonia level in the tank, the average upper and lower limits for the failure probability over a year provided by the FT/ET methods span three orders of magnitude [1.4×10 −1 –1.0×10 −4 ] depending on whether repair is considered or not. The proposed approach realistically determines this failure probability at 3.3×10 −3 . Additional results from specific levels of ammonia are also provided.

Vehicle to vehicle communication outage and its impact on convoy driving

Abstract: Advanced vehicle control and safety systems are rapidly evolving around the globe, allowing the testing of convoying systems. A key element in such systems is the production of a reliable vehicle-to-vehicle communication link, capable of robust operation in a range of operating environments. This paper reports on a modelling study of one such system conducted as part of the Road Traffic Advisor project within the UK, based on a communication link in the millimetric waveband (approximately 60 GHz). The likely outage is examined for a basic inter-vehicle data link. This is used in conjunction with a simulation of convoy behaviour based on a control model to examine the effect of such outages on convoy operation. The paper concludes that the impact of the communication protocol and the communication outages on the control dynamics of an automated convoy would not degrade its performance.