Nicolas H. Malloy Systems Engineer

Similar documents
Lessons Learned with the Application of MIL-STD-882D at the Weapon System Explosives Safety Review Board

Preemption Point Selection in Limited Preemptive Scheduling using Probabilistic Preemption Costs

Application of systems and control theory-based hazard analysis to radiation oncology

Using the Systems Engineering Method to Design A System Engineering Major at the United States Air Force Academy

Army Ground-Based Sense and Avoid for Unmanned Aircraft

Clinical Risk Management: Agile Development Implementation Guidance

A System Theoretic Safety Analysis of Friendly Fire Prevention in Ground Based Missile Systems A

Fault Tree Analysis (FTA) Kim R. Fowler KSU ECE February 2013

Why Isn t Someone Coding Yet (WISCY)? Avoiding Ineffective Requirements

Environmental Awards

Research on Application of FMECA in Missile Equipment Maintenance Decision

The Need for Guidance on Integrating SHM within Military Aircraft Systems

Position Paper. ETCS On-board Subsystem Reliability Requirement for Operational Safety

Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics

DOD INSTRUCTION MANAGEMENT OF LASER ILLUMINATION OF OBJECTS IN SPACE

UNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Prompt Global Strike Capability Development. Prior Years FY 2013 FY 2014 FY 2015

Risk themes from ATAM data: preliminary results

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Rapid Development and Integration of Remote Weapon Systems to Meet Operational Requirements Abstract May 2011

Iterations and Phases. Phases. An RUP Case Study. Models and Workflows. Bringing It All Together... Workflows. Stuart Anderson

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Test and Evaluation of Highly Complex Systems

1. Definitions. See AFI , Air Force Nuclear Weapons Surety Program (formerly AFR 122-1).

WARFIGHTER MODELING, SIMULATION, ANALYSIS AND INTEGRATION SUPPORT (WMSA&IS)

Vacancy Announcement

Health Management Information Systems: Computerized Provider Order Entry

Development of the Tactical Satellite 3 for Responsive Space Missions

Request for Proposals (RFP) for Police Body Worn Camera Systems and Video Storage Solutions For City of Boulder City, Nevada

UNCLASSIFIED. FY 2017 Base FY 2017 OCO

Technical Supplement For Joint Standard Instrumentation Suite Missile Attitude Subsystem (JMAS) Version 1.0

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 7 R-1 Line #73

Using Spoken Language to Facilitate Military Transportation Planning

PTSI Final Report Executive Summary: Transforming the Psychological Health System of Care in the US Military

RELIABILITY CONSIDERATIONS FOR LAUNCH VEHICLE COMMAND DESTRUCT SYSTEMS

Quality and Safety Considerations You Haven t Thought About

Measuring Risk Importance in a Dynamic PRA Framework

Integrating Battlefield Objects of C4ISR Systems by Using CAPS

AADL Isolette Example!

Ohio Appalachian Collaborative Professional and Project-Based Learning Platform Request for Proposal

DoD Architecture Registry System (DARS) EA Conference 2012

Joint Service Safety Testing Study Phase II Final Presentation

AIR FORCE MISSION SUPPORT SYSTEM (AFMSS)

Department of Defense DIRECTIVE. SUBJECT: Security Requirements for Automated Information Systems (AISs)

MTS GUIDELINES & IMPACT ON DP VESSELS

System Safety in a System of Systems Environment

Human Systems Integration (HSI)

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Worker Injured Elbow by Lifting Shaft

REPORT DOCUMENTATION PAGE

Safety Process For Navy Gun and Ammunition Systems

Component Description Unit Topics 1. Introduction to Healthcare and Public Health in the U.S. 2. The Culture of Healthcare

Universal Armament Interface (UAI)

Revision of DoD Design Criteria Standard: Noise Limits (MIL-STD-1474) Award Winner: ARL Team

Inspector General FOR OFFICIAL USE ONLY

IP-303: Adaptive Planning and Execution System (APEX)

Coflight efdp Angelo Corsaro, Ph.D. Software Technologies Scientist

Using CAST for Adverse Event Investigation in Hospitals

MCO B SD 29 Jul From: Commandant of the Marine Corps To: Distribution List

Tactical Satellite 3 Mission Overview and Lessons Learned

GEOSPATIAL READINESS ANALYSIS CONCEPT FOR OSD PERSONNEL AND READINESS

AS-4 JAUS Overview. SAE AS-4 Unmanned Systems Committee. JAUS Working Group. AS-4 JAUS Overview John Ackley, AS-4A Secretary

Joint Trauma Analysis and Prevention of Injury in Combat (JTAPIC) Program

OPNAVINST B N8 7 Nov Subj: NAVY TEST, MEASUREMENT, AND DIAGNOSTIC EQUIPMENT, AUTOMATIC TEST SYSTEMS, AND METROLOGY AND CALIBRATION

Nationwide Job Opportunity ANG Active Guard/Reserve AGR Vacancy

UNCLASSIFIED UNCLASSIFIED

Service Manual. WorkCentre Multifunction Printer. WC5016 WC5020 Black-and-white. Multifunction Printer

Lightweight Multi-Role Missile Integrated SAFU & Lethal Payload L.J.Turner - Thales LAND DEFENCE

Department of Defense DIRECTIVE

Tel.: +1 (514) ext Ref.: AN 12/51-07/74 7 December 2007

REQUEST FOR WHITE PAPERS BAA TOPIC 4.2.1: ADAPTIVE INTELLIGENT TRAINING TECHNOLOGIES Research and Development for Multi-Agent Tutoring Approaches

ONR GUIDE LC22: MODIFICATION OR EXPERIMENT ON EXISTING PLANT. Nuclear Safety Technical Inspection Guide. NS-INSP-GD-022 Revision 3 TABLE OF CONTENTS

QUALITY ASSURANCE PROGRAM STANDARD. (Basic Requirements: JIS Q 9100)

When and Where to Apply the Family of Architecture- Centric Methods

GRANT APPLICATION FORM TELEPHONE:

icardea Project: Personalized Adaptive Care Planner

COMMON AVIATION COMMAND AND CONTROL SYSTEM

process since the beginning of the program and will continue that involvement throughout the life cycle of the program.

Near-miss Injury Security Officer Hit by Vehicle

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Public Health Hazard & Vulnerability Assessment

Department of Defense

SCIENTIFIC DEVELOPMENT SQUADRON ONE (VXS-1) PROJECT SUPPORT MANUAL

Radar Open Systems Architectures

Jaipur National University, Jaipur

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

FY 2018 DHA UBO Revenue Cycle

Inside the Beltway ITEA Journal 2008; 29: Copyright 2008 by the International Test and Evaluation Association

UNCLASSIFIED FY 2016 OCO. FY 2016 Base

Department of Defense DIRECTIVE

Integrating System Safety into Forward Deployed Theater Operations

CENTRE FOR DISTANCE EDUCATION ANNA UNIVERSITY :: CHENNAI ATTENTION STUDY CENTRES

DODIG March 9, Defense Contract Management Agency's Investigation and Control of Nonconforming Materials

AMRDEC. Core Technical Competencies (CTC)

Quality Assurance (QA) Work Plan. Advance Corrections Initiative

Repeater Patterns on NCLEX using CAT versus. Jerry L. Gorham. The Chauncey Group International. Brian D. Bontempo

UNCLASSIFIED R-1 ITEM NOMENCLATURE

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Instructions for the Incident/Accident Investigation Form

Laying the Foundation for Coalition Interoperability through NATO's C3 Technical Architecture

The North Atlantic Treaty Organization

Transcription:

Integrating STAMP-Based Hazard Analysis with MIL-STD-882E Functional Hazard Analysis A Consistent and Coordinated Process Approach to MIL- STD-882E Functional Hazard Analysis Nicolas H. Malloy Systems Engineer nicolas.malloy@gd-ms.com 1

Outline Purpose Problem Problem Approach Conclusion Recommendations Benefits References 2

Purpose Promote the integration of STAMP-Based Hazard Analysis with MIL- STD-882E Functional Hazard Analysis Document a process which organizations can follow to conduct well-crafted safety hazard analysis Improve the safety process through the use of a continuous process improvement plan Break through business as usual paradigms System safety must be an organic component of the system design process (hardware, software, etc.) 3

Problem MIL-STD-882E provides high-level descriptions of tasks required to achieve standard compliance Very helpful for some tasks Others leave the practitioner needing more instruction Example: Functional Hazard Analysis List of eight tasking elements There are high-level descriptions but little instructions or references provided Some tasking elements are straight forward while others are not Can lead to analysis approach based on assumption Tasking elements build upon each other Effectiveness and quality of hazard identification and mitigation controls become susceptible to serious degradation if initial tasks are flawed A consistent and coordinated process is needed 4

Problem Approach Integrate STAMP-Based Hazard Analysis with MIL-STD-882E Functional Hazard Analysis Map STAMP and STPA MIL-STD-882E Functional Hazard Analysis Tasking Elements Document rationale Develop a Safety Process and Plan to be shared with the safety community Whitepapers can be written as necessary to support the process 5

System Decomposition Tasking MIL-STD-882E FHA Tasking Element Element Description a. Decomposition of the system and its related subsystems to the major component level. 3 Allocation STAMP Rationale Decomposing the system and its related subsystems to the major component level feeds directly into STAMP with the construction of the Control Structure. Also includes early safety Requirements and Constraints development and preliminary identification Hazards and Mishaps. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 6

Functional Descriptions of Subsystems and Components Tasking Element MIL-STD-882E FHA Tasking Element Description b. A functional description of each subsystem and component identified. 3 Allocation STAMP Rationale Documenting the behavioral characteristics of the system using functional descriptions contributes to STAMP with the continued construction of the Control Structure. Also includes early safety Requirements and Constraints development and preliminary identification of Hazards and Mishaps continues to occur. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 7

Functional Descriptions of Interfaces Tasking Element MIL-STD-882E FHA Tasking Element Description c. A functional description of interfaces between subsystems and components. Interfaces should be assessed in terms of connectivity and functional inputs and outputs. 3 Allocation STAMP Rationale Documenting the behavioral characteristics of system interfaces contributes to STAMP and the continued construction of the Control Structure. Also includes early safety Requirements and Constraints development and preliminary identification of Hazards and Mishaps continues to occur. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 8

Identifying Unsafe Functional Behavior Tasking Element MIL-STD-882E FHA Tasking Element Description d. Hazards associated with loss of function, degraded function, or malfunction, or functioning out of time or out of sequence for the subsystems, components, and interfaces. The list of hazards should consider the next effect in a possible mishap sequence and the final mishap outcome. 3 Allocation STPA Rationale STPA step 1 identifies the potential for inadequate control of the system leading to a hazardous state. STPA step 2 considers multiple controllers of the same components and seeks to identify conflicts and potential coordination problems. This aids in identifying next effects and top level events. 2. Leveson, N. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Cambridge, Massachusetts: The MIT Press. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 9

Identifying Unsafe Functional Behavior Tasking Element MIL-STD-882E FHA Tasking Element Description d. Hazards associated with loss of function, degraded function, or malfunction, or functioning out of time or out of sequence for the subsystems, components, and interfaces. The list of hazards should consider the next effect in a possible mishap sequence and the final mishap outcome. 3 Allocation STPA Rationale STPA step 1 identifies the potential for inadequate control of the system leading to a hazardous state. STPA step 2 considers multiple controllers of the same components and seeks to identify conflicts and potential coordination problems. This aids in identifying next effects and top level events. 2. Leveson, N. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Cambridge, Massachusetts: The MIT Press. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 4. Young, W., & Leveson, N. (2014). Inside Risks: An Integrated Approach to Safety and Security Based on Systems Theory. Communications of the ACM, 1-5. 10

Risk Assessment Tasking Element MIL-STD-882E FHA Tasking Element Description e. An assessment of the risk associated with each identified failure of a function, subsystem, or component. Estimate severity, probability, and Risk Assessment Code (RAC) using the process described in Section 4 of 882E. 3 Allocation STAMP STPA Rationale STAMP together with STPA identifies the systemlevel Hazards associated with each function (and unsafe control action) so the classification as to severity comes from the classification of the system level hazards and their associated mishaps. 1 STPA can be used to make risk acceptance decisions and to plan mitigations for open safety risks that need to be changed before a system is deployed and field tested. 2 1. Leveson, N. (2016). STPA Compliance with Army Safety Standards and Comparison with SAE ARP 4761. Cambridge, Massachusetts: The MIT Press. 2. Leveson, N. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Cambridge, Massachusetts: The MIT Press. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 11

Risk Assessment (con t) 12

Function Allocations Tasking Element MIL-STD-882E FHA Tasking Element Description f. An assessment of whether the functions identified are to be implemented in the design hardware, software, or human control interfaces. This assessment should map the functions to their implementing hardware or software components. Functions allocated to software should be mapped to the lowest level of technical design or configuration item prior to coding (e.g., implementing modules or use cases). 3 Allocation STAMP STPA Rationale Determining how system functionality and components are to be implemented is based on the safety Requirements and Constraints that are developed while the safety practitioner works through STAMP and STPA steps 1 and 2 iteratively. Like Commands can also be Functionally Grouped. This can be used to establish traceability between the Functions, Commands, Hazards, Safety Requirements, and Constraints. Example: RTM 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 13

Function Allocations (con t) 14

Software Criticality Index Assessments Tasking Element MIL-STD-882E FHA Tasking Element Description g. An assessment of Software Control Category (SCC) for each Safetysignificant Software Function (SSSF). Assign a Software Criticality Index (SwCI) for each SSSF mapped to the software design architecture. 3 Allocation STAMP STPA Rationale SCC and SwCI are unique to MIL-STD-882E but the determination for how software functionality is to be implemented is in part based upon the technology needed to support the safety Requirements and Constraints that are developed while the safety practitioner works through STAMP and STPA steps 1 and 2 iteratively. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 15

Software Criticality Index Assessments (con t) 16

Identifying Safety Requirements and Constraints Tasking Element MIL-STD-882E FHA Tasking Element Description h. A list of requirements and constraints (to be included in the specifications) that, when successfully implemented, will eliminate the hazard, or reduce the risk. These requirements could be in the form of fault tolerance, detection, isolation, annunciation, or recovery. 3 Allocation STAMP STPA Rationale STAMP begins with the preliminary identification of safety requirements and constraints. Analysis of the system and component hazards identified during STPA steps 1 and 2 aids in the iterative development of the safety Requirements and Constraints necessary to address the unsafe controls leading to hazards. 2. Leveson, N. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Cambridge, Massachusetts: The MIT Press. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 17

Conclusion STAMP-Based Hazard Analysis provides the needed conceptual rigidity and contextual flexibility to perform accurate and complete Functional Hazard Analysis consistently Mapping Exercise works Certain tasking elements call out Probabilistic Risk Assessment (PRA) and various software (functional control) specific assessments that are based on software implementation and unique to MIL-STD- 882E These are not part of STAMP-Based Hazard Analysis process but can be used to influence design decisions 18

Recommendations Use this mapping as the basis for generating a process document that serves to instantiate STAMP-Based Hazard Analysis as a means for performing MIL-STD-882E Functional Hazard Analysis Other considerations: Generate tools to manage the analysis approach Use modeling tools to create and maintain the control structure(s) Investigate an integrated approach using modeling and analysis management tools in the same environment 19

Benefits Consistent approach that documents MIL-STD-882E has been met Safety is approached in a consistent and coordinated manner All personnel involved in the design of safety significant components (hardware, software, or human) must meet safety requirements Modeling approach allows for the design team to continually improve the safety of the system prior to pursuing implementation Iterative approach can drive down cost and schedule long term 2016 General Dynamics. All rights reserved. 20

References 1. Leveson, N. (2016). STPA Compliance with Army Safety Standards and Comparison with SAE ARP 4761. Cambridge, Massachusetts: The MIT Press. 2. Leveson, N. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Cambridge, Massachusetts: The MIT Press. 3. DoD. (2012). Department of Defense Standard Practice: System Safety. Washington DC.: Department of Defense (DoD). 4. Young, W., & Leveson, N. (2014). Inside Risks: An Integrated Approach to Safety and Security Based on Systems Theory. Communications of the ACM, 1-5. 21

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback