Showing papers on "System safety published in 2005"

Hazard Analysis Techniques for System Safety

Abstract: PREFACE. ACKNOWLEDGMENTS. 1. System Safety. 1.1 Introduction. 1.2 System Safety Background. 1.3 System Safety Characterization. 1.4 System Safety Process. 1.5 System Concept. 1.6 Summary. 2. Hazards, Mishap, and Risk. 2.1 Introduction. 2.2 Hazard-Related Definitions. 2.3 Hazard Theory. 2.4 Hazard Actuation. 2.5 Hazard Causal Factors. 2.6 Hazard-Mishap Probability. 2.7 Recognizing Hazards. 2.8 Hazard Description. 2.9 Summary. 3. Hazard Analysis Types and Techniques. 3.1 Types and Techniques. 3.2 Description of Hazard Analysis Types. 3.3 Timing of Hazard Analysis Types. 3.4 Interrelationship of Hazard Analysis Types. 3.5 Hazard Analysis Techniques. 3.6 Inductive and Deductive Techniques. 3.7 Qualitative and Quantitative Techniques. 3.8 Summary. 4. Preliminary Hazard List. 4.1 Introduction. 4.2 Background. 4.3 History. 4.4 Theory. 4.5 Methodology. 4.6 Worksheet. 4.7 Hazard Checklists. 4.8 Guidelines. 4.9 Example: Ace Missile System. 4.10 Advantages and Disadvantages. 4.11 Common Mistakes to Avoid. 4.12 Summary. 5. Preliminary Hazard Analysis. 5.1 Introduction. 5.2 Background. 5.3 History. 5.4 Theory. 5.5 Methodology. 5.6 Worksheet. 5.7 Guidelines. 5.8 Example: Ace Missile System. 5.9 Advantages and Disadvantages. 5.10 Common Mistakes to Avoid. 5.11 Summary. 6. Subsystem Hazard Analysis. 6.1 Introduction. 6.2 Background. 6.3 History. 6.4 Theory. 6.5 Methodology. 6.6 Worksheet. 6.7 Guidelines. 6.8 Example: Ace Missile System. 6.9 Advantages and Disadvantages. 6.10 Common Mistakes to Avoid. 6.11 Summary. 7. System Hazard Analysis. 7.1 Introduction. 7.2 Background. 7.3 History. 7.4 Theory. 7.5 Methodology. 7.6 Worksheet. 7.7 Guidelines. 7.8 Example. 7.9 Advantages and Disadvantages. 7.10 Common Mistakes to Avoid. 7.11 Summary. 8. Operating and Support Hazard Analysis. 8.1 Introduction. 8.2 Background. 8.3 History. 8.4 Definitions. 8.5 Theory. 8.6 Methodology. 8.7 Worksheet. 8.8 Hazard Checklists. 8.9 Support Tools. 8.10 Guidelines. 8.11 Examples. 8.12 Advantages and Disadvantages. 8.13 Common Mistakes to Avoid. 8.14 Summary. 9. Health Hazard Assessment. 9.1 Introduction. 9.2 Background. 9.3 History. 9.4 Theory. 9.5 Methodology. 9.6 Worksheet. 9.7 Checklist. 9.8 Example. 9.9 Advantages and Disadvantages. 9.10 Common Mistakes to Avoid. 9.11 Summary. 10. Safety Requirements/Criteria Analysis. 10.1 Introduction. 10.2 Background. 10.3 History. 10.4 Theory. 10.5 Methodology. 10.6 Worksheets. 10.7 Example. 10.8 Advantages and Disadvantages. 10.9 Common Mistakes to Avoid. 10.10 Summary. 11. Fault Tree Analysis. 11.1 Introduction. 11.2 Background. 11.3 History. 11.4 Theory. 11.5 Methodology. 11.6 Functional Block Diagrams. 11.7 Cut Sets. 11.8 MOCUS Algorithm. 11.9 Bottom-Up Algorithm. 11.10 Mathematics. 11.11 Probability. 11.12 Importance Measures. 11.13 Example 1. 11.14 Example 2. 11.15 Example 3. 11.16 Phase- and Time-Dependent FTA. 11.17 Dynamic FTA. 11.18 Advantages and Disadvantages. 11.19 Common Mistakes to Avoid. 11.20 Summary. 12. Event Tree Analysis. 12.1 Introduction. 12.2 Background. 12.3 History. 12.4 Definitions. 12.5 Theory. 12.6 Methodology. 12.7 Worksheet. 12.8 Example 1. 12.9 Example 2. 12.10 Example 3. 12.11 Example 4. 12.12 Advantages and Disadvantages. 12.13 Common Mistakes to Avoid. 12.14 Summary. 13. Failure Mode and Effects Analysis. 13.1 Introduction. 13.2 Background. 13.3 History. 13.4 Definitions. 13.5 Theory. 13.6 Methodology. 13.7 Worksheet. 13.8 Example 1: Hardware Product FMEA. 13.9 Example 2: Functional FMEA. 13.10 Level of Detail. 13.11 Advantages and Disadvantages. 13.12 Common Mistakes to Avoid. 13.13 Summary. 14. Fault Hazard Analysis. 14.1 Introduction. 14.2 Background. 14.3 History. 14.4 Theory. 14.5 Methodology. 14.6 Worksheet. 14.7 Example. 14.8 Advantages and Disadvantages. 14.9 Common Mistakes to Avoid. 14.10 Summary. 15. Functional Hazard Analysis. 15.1 Introduction. 15.2 Background. 15.3 History. 15.4 Theory. 15.5 Methodology. 15.6 Worksheets. 15.7 Example 1: Aircraft Flight Functions. 15.8 Example 2: Aircraft Landing Gear Software. 15.9 Example 3: Ace Missile System. 15.10 Advantages and Disadvantages. 15.11 Common Mistakes to Avoid. 15.12 Summary. 16. Sneak Circuit Analysis. 16.1 Introduction. 16.2 Background. 16.3 History. 16.4 Definitions. 16.5 Theory. 16.6 Methodology. 16.7 Example 1: Sneak Path. 16.8 Example 2: Sneak Label. 16.9 Example 3: Sneak Indicator. 16.10 Example Sneak Clues. 16.11 Software Sneak Circuit Analysis. 16.12 Advantages and Disadvantages. 16.13 Common Mistakes to Avoid. 16.14 Summary. 17. Petri Net Analysis (PNA). 17.1 Introduction. 17.2 Background. 17.3 History. 17.4 Definitions. 17.5 Theory. 17.6 Methodology. 17.7 Examples. 17.8 Advantages and Disadvantages. 17.9 Common Mistakes to Avoid. 17.10 Summary. 18. Markov Analysis. 18.1 Introduction. 18.2 Background. 18.3 History. 18.4 Definitions. 18.5 Theory. 18.6 Methodology. 18.7 Examples. 18.8 Markov Analysis and FTA Comparisons. 18.9 Advantages and Disadvantages. 18.10 Common Mistakes to Avoid. 18.11 Summary. 19. Barrier Analysis. 19.1 Introduction. 19.2 Background. 19.3 History. 19.4 Definitions. 19.5 Theory. 19.6 Methodology. 19.6.1 Example Checklist of Energy Sources. 19.6.2 Considerations. 19.7 Worksheet. 19.8 Example. 19.9 Advantages and Disadvantages. 19.10 Common Mistakes to Avoid. 19.11 Summary. 20. Bent Pin Analysis. 20.1 Introduction. 20.2 Background. 20.3 History. 20.4 Theory. 20.5 Methodology. 20.6 Worksheet. 20.7 Example. 20.8 Advantages and Disadvantages. 20.9 Common Mistakes to Avoid. 20.10 Summary. 21. Hazard and Operability Analysis. 21.1 Introduction. 21.2 Background. 21.3 History. 21.4 Theory. 21.5 Methodology. 21.5.1 Design Representations. 21.5.2 System Parameters. 21.5.3 Guide Words. 21.5.4 Deviation from Design Intent. 21.6 Worksheet. 21.7 Example 1. 21.8 Example 2. 21.9 Advantages and Disadvantages. 21.10 Common Mistakes to Avoid. 21.11 Summary. 22. Cause-Consequence Analysis. 22.1 Introduction. 22.2 Background. 22.3 History. 22.4 Definitions. 22.5 Theory. 22.6 Methodology. 22.7 Symbols. 22.8 Worksheet. 22.9 Example 1: Three-Component Parallel System. 22.10 Example 2: Gas Pipeline System. 22.10.1 Reducing Repeated Events. 22.11 Advantages and Disadvantages. 22.12 Common Mistakes to Avoid. 22.13 Summary. 23. Common Cause Failure Analysis. 23.1 Introduction. 23.2 Background. 23.3 History. 23.4 Definitions. 23.5 Theory. 23.6 Methodology. 23.7 Defense Mechanisms. 23.8 Example. 23.9 Models. 23.10 Advantages and Disadvantages. 23.11 Common Mistakes to Avoid. 23.12 Summary. 24. Management Oversight Risk Tree Analysis. 24.1 Introduction. 24.2 Background. 24.3 History. 24.4 Theory. 24.5 Methodology. 24.6 Worksheet. 24.7 Advantages and Disadvantages. 24.8 Common Mistakes to Avoid. 24.9 Summary. 25. Software Safety Assessment. 25.1 Introduction. 25.2 Background. 25.3 History. 25.4 Theory. 25.5 Methodology. 25.6 Worksheet. 25.7 Software Risk Level. 25.8 Example. 25.9 Advantages and Disadvantages. 25.10 Common Mistakes to Avoid. 25.11 Summary. 26. Summary. 26.1 Principle 1: Hazards, Mishaps, and Risk are Not Chance Events. 26.2 Principle 2: Hazards are Created During Design. 26.3 Principle 3: Hazards are Comprised of Three Components. 26.4 Principle 4: Hazard and Mishap Risk Management Is the Core Safety Process. 26.5 Principle 5: Hazard Analysis Is a Key Element of Hazard and Mishap Risk Management. 26.6 Principle 6: Hazard Management Involves Seven Key Hazard Analysis Types. 26.7 Principle 7: Hazard Analysis Primarily Encompasses Seven Hazard Analysis Techniques. 26.8 Finis. Appendix A: List of Acronyms. Appendix B: Glossary. Appendix C: Hazard Checklists. Index.

The long road to patient safety: a status report on patient safety systems.

Abstract: ContextSince the Institute of Medicine (IOM) reports on medical errors and quality, national attention has focused on improving patient safety through changes in “systems” of care. These reports resulted in a new paradigm that, rather than centering on individual errors, focuses on the “systems” necessary to facilitate and enhance quality and protect patients.ObjectivesTo assess the status of hospital patient safety systems since the release of the IOM reports and to identify changes over time in 2 states that collaborated on a patient safety project funded by the Agency for Healthcare Research and Quality.Design, Setting, and ParticipantsSurvey of all acute care hospitals in Missouri and Utah at 2 points in time, in 2002 and 2004, using a 91-item comprehensive questionnaire (n = 126 for survey 1 and n = 128 for survey 2). To assess changes over time, we also studied the cohort of 107 hospitals that responded to both surveys.Main Outcome MeasuresResponses to the 91-question survey as well as changes in responses to the survey questions over an 18-month period. Seven latent variables were constructed to represent the most important patient safety constructs studied: computerized physician order entry systems, computerized test results, and assessments of adverse events; specific patient safety policies; use of data in patient safety programs; drug storage, administration, and safety procedures; manner of handling adverse event/error reporting; prevention policies; and root cause analysis. For each hospital, the 7 latent variables were summed to give an overall measure of the patient safety status of the hospital.ResultsDevelopment and implementation of patient safety systems is at best modest. Self-reported regression in patient safety systems was also found. While 74% of hospitals reported full implementation of a written patient safety plan, nearly 9% reported no plan. The area of surgery appears to have the greatest level of patient safety systems. Other areas, such as medications, with a long history of efforts in patient safety and error prevention, showed improvements, but the percentage of hospitals with various safety systems was already high at baseline for many systems. Some findings are surprising, given the overall trends; for example, while a substantial percentage of hospitals have medication safety systems, only 34.1% reported full implementation at survey 2 of computerized physician order entry systems for medications, despite the growth of computer technology in general and in hospital billing systems in particular.ConclusionsThe current status of hospital patient safety systems is not close to meeting IOM recommendations. Data are consistent with recent reports that patient safety system progress is slow and is a cause for great concern. Efforts for improvement must be accelerated.

Model-based safety analysis of simulink models using SCADE design verifier

Abstract: Safety analysis techniques have traditionally been performed manually by the safety engineers. Since these analyses are based on an informal model of the system, it is unlikely that these analyses will be complete, consistent, and error-free. Using precise formal models of the system as the basis of the analysis may help reduce errors and provide a more thorough analysis. Further, these models allow automated analysis, which may reduce the manual effort required. The process of creating system models suitable for safety analysis closely parallels the model-based development process that is increasingly used for critical system and software development. By leveraging the existing tools and techniques, we can create formal safety models using tools that are familiar to engineers and we can use the static analysis infrastructure available for these tools. This paper reports our initial experience in using model-based safety analysis on an example system taken from the ARP Safety Assessment guidelines document.

A proposal for model-based safety analysis

Abstract: System safety analysis techniques are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. Since these analyses are usually based on an informal system model, it is unlikely that they will be complete, consistent, and error free. In fact, the lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to finding undocumented details of the system behavior and embedding this information in the safety artifacts such as the fault trees. In this paper we propose an approach, Model-Based Safety Analysis, in which the system and safety engineers use the same system models created during a model-based development process. By extending the system model with a fault model as well as relevant portions of the physical system to be controlled, automated support can be provided for much of the safety analysis. We believe that by using a common model for both system and safety engineering and automating parts of the safety analysis, we can both reduce the cost and improve the quality of the safety analysis. Here we present our vision of model-based safety analysis and discuss the advantages and challenges in making this approach practical.

The Impact of Uncertainties on the Performance of Passive Systems

Abstract: Passive safety systems are commonly considered to be more reliable than active systems. The lack of mechanical moving parts or other active components drastically reduces the probabilities of hardw...

Engineering System Safety Analysis and Synthesis Using the Fuzzy Rule-based Evidential Reasoning Approach

Abstract: The main objective of this paper is to propose a framework for modelling, analysing and synthesizing system safety of engineering systems or projects on the basis of a generic rule-based inference methodology using the evidential reasoning (RIMER) approach. The framework is divided into two parts. The first one is for fuzzy rule-based safety estimation, referred to as a fuzzy rule-based evidential reasoning (FURBER) approach. The second one is for safety synthesis using the evidential reasoning approach. In the FURBER framework, parameters used to define the safety level, including failure rate, failure consequence severity and failure consequence probability are described using fuzzy linguistic variables; a fuzzy rule base designed on the basis of a belief structure is used to capture uncertainty and nonlinear relationships between these three parameters and the safety level; and the inference of the rule-based system is implemented using the evidential reasoning algorithm. Then the following steps involve synthesizing safety at higher levels of an engineering system to integrate all possible causes to a specific technical failure, or estimates made by a panel of experts. The synthesis is also based on the evidential reasoning approach. The final step describes the analysis and interpretation of the final synthesized safety of a system. The above framework has been applied to modelling system safety of an offshore and marine engineering system: the floating production storage offloading (FPSO) system. A series of case studies of collision risk between a FPSO and a shuttle tanker due to technical failure during a tandem offloading operation is used to illustrate the application of the proposed model. Copyright © 2005 John Wiley & Sons, Ltd.

Natural Circulation in Water Cooled Nuclear Power Plants Phenomena, models, and methodology for system reliability assessments

Abstract: In recent years it has been recognized that the application of passive safety systems (i.e., those whose operation takes advantage of natural forces such as convection and gravity), can contribute to simplification and potentially to improved economics of new nuclear power plant designs. In 1991 the IAEA Conference on ''The Safety of Nuclear Power: Strategy for the Future'' noted that for new plants the use of passive safety features is a desirable method of achieving simplification and increasing the reliability of the performance of essential safety functions, and should be used wherever appropriate''.

An automated failure mode and effect analysis based on high-level design specification with behavior trees

Abstract: Formal methods have significant benefits for developing safety critical systems, in that they allow for correctness proofs, model checking safety and liveness properties, deadlock checking, etc. However, formal methods do not scale very well and demand specialist skills, when developing real-world systems. For these reasons, development and analysis of large-scale safety critical systems will require effective integration of formal and informal methods. In this paper, we use such an integrative approach to automate Failure Modes and Effects Analysis (FMEA), a widely used system safety analysis technique, using a high-level graphical modelling notation (Behavior Trees) and model checking. We inject component failure modes into the Behavior Trees and translate the resulting Behavior Trees to SAL code. This enables us to model check if the system in the presence of these faults satisfies its safety properties, specified by temporal logic formulas. The benefit of this process is tool support that automates the tedious and error-prone aspects of FMEA.

Enhancement of Active & Passive Safety by Future PRE-SAFE® Systems

Abstract: Advanced driver assistance systems in combination with new preventive safety systems offer great potential for avoiding accidents, reducing accident severity and increasing occupant protection. This paper presents the activities in this field at the Mercedes Car Group (MCG). Driver assistance systems can be divided into systems that supply the driver with information during normal driving, systems that warn the driver when the probability of an accident increases, systems that assist the driver actively in avoiding an impending accident, and finally autonomously intervening systems. A special case of an intervention system is PRE-SAFE®: developed and first introduced by the MCG is 2002, PRE-SAFE® is a system that acts in the intervention phase. PRE-SAFE® has opened up new possibilities for vehicle safety by shifting the paradigm from the formerly separate fields of active and passive safety to an integral view of these two fields. The future task is to enhance the elements of driver assistance systems and to integrate them in a comprehensive system. Since most of the current systems have no or only little information about the vehicle's surrounding, new sensors providing such information (cameras, 24-GHz radar) are especially needed. How can driver assistance systems be enhanced on the basis of additional and more precise sensor information? Firstly, the driver can be informed and warned much more selectively and accurately. Secondly, systems that act in the assistance phase can be activated more often and provide much more precise support. For instance, BRAKE ASSIST (BAS) activation and support can take objects in front of the vehicle into account to avoid or mitigate a collision. Thirdly, in the intervention or PRE-SAFE® phase, new occupant protection systems can be activated if an imminent and unavoidable collision is detected. Additionally, it might be possible to apply the brakes automatically in such a case to reduce the collision energy, which is also considered a contributing factor to crash compatibility.

Competing Failure Risk Analysis Using Evidence Theory

Abstract: Safety systems are important components of high-consequence systems that are intended to prevent the unintended operation of the system and thus the potentially significant negative consequences that could result from such an operation. This presentation investigates and illustrates formal procedures for assessing the uncertainty in the probability that a safety system will fail to operate as intended in an accident environment. Probability theory and evidence theory are introduced as possible mathematical structures for the representation of the epistemic uncertainty associated with the performance of safety systems, and a representation of this type is illustrated with a hypothetical safety system involving one weak link and one strong link that is exposed to a high temperature fire environment. Topics considered include (1) the nature of diffuse uncertainty information involving a system and its environment, (2) the conversion of diffuse uncertainty information into the mathematical structures associated with probability theory and evidence theory, and (3) the propagation of these uncertainty structures through a model for a safety system to obtain representations in the context of probability theory and evidence theory of the uncertainty in the probability that the safety system will fail to operate as intended. The results suggest that evidence theory provides a potentially valuable representational tool for the display of the implications of significant epistemic uncertainty in inputs to complex analyses.

Experimental Analysis of Car-Following Dynamics and Traffic Stability

Abstract: The study of car-following dynamics is useful for capacity analysis, safety research, and traffic simulation. There is also growing interest in its applications in intelligent transportation systems, such as advanced vehicle control and safety systems and autonomous cruise control systems. A large number of car-following models have been developed in the past five decades. Some of them were investigated and validated against experimental data; nevertheless, the results were not that con sistent for some models, e.g., those for the General Motors (GM) model. As a part of the problem, the data acquisition and calibration techniques were not advanced then. The past few decades have seen remark able advancements in these techniques, e.g., the use of the differential Global Positioning System (GPS) for position measurement, the use of Doppler's principle for speed measurements, and the use of genetic algorithms for optimization. It might be useful to reassess some out standing issues in car-following dynamics ...

Plug-and-play in the operating room of the future.

Abstract: May/June 2005 How safe would a car be if key components, such as the brakes and cruise control, didn’t work together? Can you imagine flying in an airplane that wouldn’t provide a warning if the landing gear didn’t deploy? Would you buy a new computer that would not allow you to upgrade the mouse, keyboard, or other peripheral components? Would your new “USB memory stick” be useful if it only worked with one brand of computer? The kinds of interoperable plug-and-play control and communication systems that we take for granted in automobiles and consumer electronics are lacking in operating rooms (OR) today Although intraoperative patient safety has improved significantly, the OR is still a complex and potentially hazardous environment where clinicians depend on teamwork and a patchwork of systems to mitigate hazards instead of using automated safety systems Surprisingly, smart alarms and automated decision support tools are still absent from the clinical environment Clinical engineers and clinicians have proposed innovative technical solutions to mitigate clinical hazards, but they cannot affordably implement novel solutions when real-time medical device data acquisition or control is required Partly as a result of the lack of medical device interoperability, many selfevident improvements have been precluded, and safety Plug-and-Play in the Operating Room of the Future

Application of Real-Time DEVS to Analysis of Safety-Critical Embedded Control Systems: Railroad Crossing Control Example

Abstract: This article presents an application of the Discrete Event System Specification (DEVS) framework to the design and safety analysis of a real-time embedded control system, a railroad crossing control system. The authors employ an extension of the DEVS formalism, real-time DEVS (RT-DEVS), which has a sound semantics for the specification of real-time systems in a hierarchical modular fashion. The notion of a clock matrix for communicating RT-DEVS models is proposed, which represents a global time between the models. Based on the composition rules and the clock matrix, an algorithm for the generation of a timed reachability tree is developed that can be used for safety analysis at two phases: an untimed and timed analysis phase. A railroad crossing control example demonstrates that the proposed analysis for RT-DEVS models would be effective to verify the safety property of real-time control systems.

Performance-based usability evaluation of a safety information and alarm system

Abstract: Evaluation of the appropriateness of information technical systems for complex professional usage in safety-critical contexts poses significant methodical and practical challenges. In this study, the usability of a Safety Information and Alarm Panel (SIAP) in a nuclear power plant control room was tested. An integrated validation concept was used that included a new approach to measuring system and operator performance in complex work environments. The tested system was designed to aid the operators in severe disturbance and emergency situations. It had already been implemented at a nuclear power plant. The study was conducted in a full-scope training simulator. The results verified that an acceptable level of performance could be achieved when using the SIAP. When the operators' practices were analysed by a habit-centred analysis, it was discovered that the effects of the SIAP differed between crews and between test scenarios. Thus, the SIAP tended to promote coherence of practices but reduce situatively attentive action. In diffuse task contexts the tool failed to support the shift supervisor's control of the overall process situation, his awareness of the crew's work load and his ability to update the crew's awareness of the process. The operators reported that the system supported their process control activity and reduced stress in the situation, but the shift supervisors and operators also noticed some possible negative effects of the tool. These subjective evaluations corresponded to the effects observed in practice. The results revealed the complexity of the implementation of new tools into professional practice. It was proposed that a validation project should focus on the trajectory of development of the entire distributed cognitive system instead of comprehending validation studies as tests of the effects of information systems on a pre-defined process output. Formative evaluation criteria are needed in projecting distributed cognitive systems.

Priority setting for the distribution of localized hazard protection.

Abstract: We address the problem of distributing safety-enhancing devices across a region, where each identical device provides for only local protection of the population. The devices protect nonidentical sectors of the population. The sectors of population are exposed to nonidentical intensities of hazard. A method for the screening and prioritizing of needs for the protective devices is described. An approach of risk-benefit-cost analysis under uncertainty is recommended as follows. Measures of hazard intensity and population exposure are identified. Exogenous parameters that influence assessments of risks, benefits, and costs are identified. Uncertainties of the exogenous parameters are propagated by interval analysis. Several tiers of the plausibility of need for protection are identified. The tiers are useful in setting priorities for the distribution of the safety devices. The method is demonstrated in an engineering application to roadway lighting, but has implications for disaster preparedness, anti-terrorism, transportation safety, and other arenas of public safety.

Safety and Risk -Driven Design in Complex Systems -of - Systems

Abstract: *† More powerful, next -generation approaches to safety management and safety -driven design and decision -making are required in order to meet the mission safety and assurance goals for human space exploration in an affordable and effective way. The assumptions underlying our current safety and mission assurance approaches do not match the basic properties of some new types of hardware technology, particularly digital hardware, software, complex human decision -making and human -automation interaction, and accidents that arise from dysfunctional system component interactions rather than component failures. This p aper describes a new model of accident causation, called STAMP (System -Theoretic Accident Model and Processes), that integrates all elements of risk, including technical, organizational, and social. The new model provides the foundation for next -generation hazard analysis techniques, more comprehensive incident and accident root cause analysis, and continuous risk management systems to enhance decision -making in complex systems -of -systems. I. Introduction O achieve the levels of safety and reliability requ ired for successful space exploration, more powerful safety analysis and design techniques will be needed. Traditional hazard analysis and risk assessment techniques (such as Fault Tree Analysis, FMEA/CIL, and Probabilistic Risk Assessment) were created fo r mechanical systems and later extended to electro -mechanical systems and are better at evaluating completed designs than driving early design decisions. They rest on the assumption that accidents result from component failure and thus miss the increasingl y common accidents resulting from interactions among systems and components —such as foam hitting the Orbiter RCC panels or software thinking the spacecraft has landed and cutting off the descent engines prematurely. When building systems -of -systems that ar e software -intensive and require complex human decision making and human -automation interaction as well as distributed decision -making, today’s techniques are inadequate —extremely expensive to apply and capable of only limited results. The complexities inv olved in the interactions among components in sophisticated spacecraft and systems -of -systems overwhelm existing safety engineering techniques based on analyzing individual component failure, do not handle components like software (which is essentially des ign abstracted from its physical representation and thus does not ``fail’’), and present sometimes overwhelming challenges to organizations managing such complex systems. Billions of dollars have been lost in spacecraft mishaps in the past few years, inclu ding the Ariane 501, various Titan launch mishaps, and, of course, Columbia. Every recent Mars mission has run into software problems. This paper describes an approach to safety management and safety -driven design that overcomes the limitations of cur rent safety analysis and risk management techniques. The approach rests on a new model of accident causation called STAMP (Systems -Theoretic Accident Modeling and Processes), which extends the types of accidents that can be handled today. STAMP integrates all elements of risk, including technical, organizational and social. Note that safety here is not limited to human safety and crew survival, but also includes loss of mission, loss of equipment, and negative environmental impacts.

Safe human-robot-coexistence: emergency-stop using a high-speed vision-chip

Abstract: The coexistence of humans and industrial robots in a common workspace provides the advantage of increased flexibility in production or longer system up-time during maintenance. However, it is fundamentally necessary to guarantee the safety of the human. This paper presents an approach that uses a specialized tracking-vision-chip to realize a high-speed emergency-stop for safe human-robot-coexistence. The presented approach uses the ability of the vision-chip to perform pixel-parallel masking and fast summation-operations on binary images to detect whether the robot and human are too close. After initial evaluation in a (semi)-simulation, the approach was realized in an experimental system. Even with only a small 8-bit microcontroller controlling the vision-chip and the communication, a cycle time of more than 500Hz was achieved.

Hardware in the loop simulation of embedded automotive control system

Abstract: Distributed embedded control systems play an increasing role in modern automotive designs and there is a pressing need to investigate the impact of different design decisions on system safety and reliability. A highly effective method of performing the testing for such an investigation is via a suitably detailed "hardware-in-the-loop" (HIL) simulation. This paper describes a novel HIL testbed that has been developed for this purpose in the Embedded Systems Laboratory at the University of Leicester. An overview of the simulator is provided, followed by detailed descriptions of the vehicle and driver models that are employed. The performance of the system is illustrated using an example based on an adaptive cruise control system.

Environment behavior models for scenario generation and testing automation

Abstract: This paper suggests an approach to automatic scenario generation from environment models for testing of real-time reactive systems. The behavior of the system is defined as a set of events (event trace) with two basic relations: precedence and inclusion. The attributed event grammar (AEG) specifies possible event traces and provides a uniform approach for automatically generating, executing, and analyzing test cases. The environment model includes a description of hazardous states in which the system may arrive and makes it possible to gather statistics for system safety assessment. The approach is supported by a generator that creates test cases from the AEG models. We demonstrate the approach with case studies of prototypes for the safety-critical computer-assisted resuscitation algorithm (CARA) software for a casualty intravenous fluid infusion pump and the Paderborn Shuttle System.

Safety considerations for operation of different classes of unmanned aerial vehicles in the National Airspace System

Abstract: There is currently a broad effort underway in the United States and internationally by several organizations to craft regulations enabling the safe operation of UAVs in the NAS. Current federal regulations governing unmanned aircraft are limited in scope, and the lack of regulations is a barrier to achieving the full potential benefit of UAV operations. Safety is a fundamental requirement for operation in the NAS. Maintaining and enhancing safety of UAVs is both the authority and responsibility of the Federal Aviation Administration (FAA). To inform future FAA regulations, an investigation of the safety considerations for UAV operation in the NAS was performed. Key issues relevant to operations in the NAS, including performance and operating architecture were examined, as well as current rules and regulations governing unmanned aircraft. In integrating UAV operations in the NAS, it will be important to consider the implications of different levels of vehicle control and autonomous capability and the source of traffic surveillance in the system. A system safety analysis was performed according to FAA system safety guidelines for two critical hazards in UAV operation: midair collision and ground impact. Event-based models were developed describing the likelihood of ground fatalities and midair collisions under several assumptions. From the models, a risk analysis was performed calculating the expected level of safety for each hazard without mitigation. The variation of expected level of safety was determined based on vehicle characteristics and population density for the ground impact hazard, and traffic density for midair collisions. The results of the safety analysis indicate that it may be possible to operate small UAVs with few operational and size restrictions over the majority of the United States. As UAV mass increases, mitigation measures must be utilized to further reduce both ground impact and midair collision risks to target levels from FAA guidance. It is in the public interest to achieve the full benefits of UAV operations, while still preserving safety through effective mitigation of risks with the least possible restrictions. Therefore, a framework was presented under which several potential mitigation measures were introduced and could be evaluated. It is likely that UAVs will be significant users of the future NAS, and this thesis provides an analytical basis for evaluating future regulatory decisions. Thesis Supervisor: R. John Hansman, Jr. Title: Professor of Aeronautics & Astronautics

Behavior Based Model for Organizational Safety Management

Abstract: The procedures for safety management and their operations in an organization comprise safety programs for the organization. Based on the principles of behavior science that culture shapes managerial behavior, managerial behavior produces individual behavior, safety programs can be structured into a model consisting of three modules, i.e. safety culture, organizational structure and safety procedures. The operation of the model, or the principles of safety management, produces first level interim results, employees' safety related knowledge, safety consciousness and safety habit, second level interim results unsafe behavior and unsafe conditions, and then after that, produces the final outcome safety performance which can be further improved by behavior observation or behavior correction. The quality of the model for safety management or safety program can be quantitatively diagnosed by safety climate survey. Basically, the modeling of safety programs and the contents included in the model sum up the subjects of the discipline safety science and technology, which is the basis for the design of education programs for the discipline.

A precrash system based on sensor data fusion of laser scanner and short range radars

Abstract: The growing interest toward active safety systems leads to a rapid development of different sensors and systems. One key aspect for all systems is the knowledge about the car environment. This knowledge is essential for safety applications such as PreCrash. A PreCrash system generates information about location, moving direction and relative velocity of critical objects in the car environment immediately before an imminent and inevitable accident happens. Different types of actuators can benefit from this information for in-time deployment and the choice of the right deployment energy. In this paper a PreCrash system is proposed, which uses two short range radars and a laser scanner to obtain the required environmental data. The short range radars and the laser scanner will be mounted in the front of a test vehicle. The sensors are able to observe multiple targets within a field of view in front of the car. To develop a highly reliable environment sensing system, competitive fusion approaches using different types of sensors are appropriate. The challenge in realizing such a fusion system is the optimal utilization of the detection performance of each sensor type and the developing of a fast architecture for using it in the automotive environment. As two examples for such a fusion strategy a commonly utilized decision level fusion approach is discussed and a newly developed grid fusion approach is introduced. It is based on a virtual grid in front of the car in which the sensor readings are mapped into. The architecture of the grid is directly adapted to the requirements of the application and the sensor specifications. The data extraction out of the grid is based on simple and well known strategies. Decision strategies to increase the certainty of object identity are also proposed in this paper.

Driver state monitor from DELPHI

Abstract: We present an automotive-grade, real-time, vision-based driver state monitor. Upon detecting and tracking the driver's facial features, the system analyzes eye-closures and head pose to infer his/her fatigue or distraction. This information is used to warn the driver and to modulate the actions of other safety systems. The purpose of this monitor is to increase road safety by preventing drivers from falling asleep or from being overly distracted, and to improve the effectiveness of other safety systems.