the ansi process for system safety assurance presented at the safety case workshop huntsville, al;...
TRANSCRIPT
The “ANSI Process” forSystem Safety AssurancePresented at the Safety Case WorkshopHuntsville, AL; January 14th, 2014
David B. West, CSP, P.E., CHMM, Fellow
NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY
© SAIC. All rights reserved.
2
What do we mean by the “ANSI Process”?
• In this workshop, the “ANSI Process” refers to System Safety processes and methodologies outlined in ANSI/GEIA-STD-0010-2009, “Standard Best Practices for System Safety Program Development and Execution”
• The publishing of best practices in ANSI/GEIA-STD-0010-2009 was done by a working group of the SAE International G-48 System Safety Committee
• Best practices are developed and standardized so that the community of practitioners can advance the state-of-the-art
• The best practices documented in ANSI/GEIA-STD-0010-2009 include:• Designing a System Safety Program around 5 basic elements• Using a modernized risk assessment matrix• Describing hazards in terms of their Source, Mechanism, and
Outcome• Giving consideration to the concept of Total System Risk
3
Outline of Presentation
• Brief background on the G-48 System Safety Committee• How standardizing best practices can drive advancements in
the state-of-the-art• The G-48 Committee’s development of ANSI/GEIA-STD-0010-
2009• The 5 basic elements of an effective system safety program,
as presented in ANSI/GEIA-STD-0010-2009• Improvements, covered in ANSI/GEIA-STD-0010-2009, to the
traditional risk assessment matrix • The source-mechanism-outcome model for describing hazards• Risk summation
4
Overview of the G-48 System Safety Committee
• Established in 1966 by the Electronics Industries Association (EIA)• System Safety experts from industry, government, military• Advisory body to U.S. Govt. on System Safety issues and standards – e.g., MIL-
STD-882• Develops/seeks consensus on System Safety methodologies• Three meetings per year• Parent organizations after EIA:
– GEIA– ITAA– TechAmerica– SAE International (July 2013)
• Mission Statement:– To promote the development of safe systems, products, and processes: the G-48
Committee compiles, develops, improves and publishes best practices in the discipline of System Safety.
5
Overview of the G-48 System Safety Committee (Cont.)
6
Overview of the G-48 System Safety Committee (Cont.)
G-48 Meeting No. 133 – Huntsville, AL – January 2013
7
How standardizing best practices can drive advancements in the state-of-the-art
• A key motivating factor in developing ANSI/GEIA-STD-0010-2009 was the desire to make improvements in the System Safety state-of-the-art.
• The next five charts graphically present a notional and non-quantitative picture of how improvements in the practice of any human endeavor can be actively brought about through the standardization of best practices.
• This approach for bringing about improvements has been successfully followed in several other fields, including:
– The medical profession– Steam boiler design and manufacturing– Fire protection in building design– The automotive industry
Variation of Practice in a Typical Discipline
8
Measure of “Goodness”(Proficiency, Effectiveness, Accuracy, Value, etc.)
Fre
qu
ency
of
Pra
ctic
e
9
Standardization Option 1:Define and Document Current Practice
Measure of “Goodness”(Proficiency, Effectiveness, Accuracy, Value, etc.)
Fre
qu
ency
of
Pra
ctic
e
Good news:
Recognition of full spectrumof current practices
Bad news:
No improvement; practice stagnates
10
Standardization Option 2 (Good):Option 1 + Identify Central Tendency & Gradations
Measure of “Goodness”(Proficiency, Effectiveness, Accuracy, Value, etc.)
Fre
qu
ency
of
Pra
ctic
e
Consensus
Cutting Edge
Exemplary, or State-of-the-
Art
Minimally Acceptable
Sub-standard
Good news:
Substandard practices req’d to improve
Bad news:
No improvement for most of the spectrum; practice stagnates
11
Standardization Option 3 (Better):Option 2 + Decrease Variation
Measure of “Goodness”(Proficiency, Effectiveness, Accuracy, Value, etc.)
Fre
qu
ency
of
Pra
ctic
e
Consensus
Good news:
These are pressured to improve…
Bad news:
…but these might as well “slack off”
12
Standardization Option 4 (Best):Option 3 + Improve Mean Practice
Measure of “Goodness”(Proficiency, Effectiveness, Accuracy, Value, etc.)
Fre
qu
ency
of
Pra
ctic
eGood news:
Overall spectrum of practice improves
More good news:
No sacrifice of gains at the top of the spectrum
13
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009
• Background: Acquisition Reform and MIL-STD-882D• Identified Opportunities for Improving System Safety Practice• The G-48 Committee’s Draft of MIL-STD-882E• “De-militarizing” the Draft 882E to Form an Industry Standard• Revision A of ANSI/GEIA-STD-0010-2009
14
Background: Acquisition Reform and MIL-STD-882D
• Acquisition Reform efforts by the U.S. DOD in the late 1990’s resulted in eliminating many military standards
• MIL-STD-882 was preserved by making Revision D (Feb 2000) much less prescriptive then it had been in previous revisions (~30 pages, no S.S. tasks, guidance only)
• G-48 Committee received much feedback from 2000-2004 that industry, in general, did not like MIL-STD-882D
• Committee agreed that:– It was time to consider the preparing a revision of MIL-STD-882– A new revision of MIL-STD-882 provided an opportunity for improving standard
practices
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009
15
• No universal understanding as to what basic elements are included in a successful System Safety Program
• Risk assessment matrix not laid out in Cartesian coordinates (which would have risk increasing up and to the right)
• Disproportionately scaled risk assessment matrix
These shortcomings were addressed in the System Safety best practices documented in ANSI/GEIA-STD-0010-2009.
• No quantitative bounds for hazard probability categories; mixed probability and frequency terms
• No provision for taking hazard exposure interval into account• Using approach that if hazard risks – taken individually – are acceptable, then
system risk is acceptable (regardless of number or risk level of individual hazards); i.e., no assessment of total system risk
• Inconsistent and/or incomplete methods for describing hazards
Identified Opportunities for Improving System Safety Practice
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
16
The G-48 Committee’s Draft of MIL-STD-882E
• In late summer 2004, a preliminary Draft 1 of 882E was prepared by Chuck Dorney, a longtime G-48 participant, and distributed to the G-48 Committee for review – numerous comments for improvement in late 2004 and early 2005
• All ideas for improvements presented to G-48 Committee in January 2005• G-48 Action Item 109-01 was to “produce a strawman Draft MIL-STD-882E,
‘adding discipline to our discipline’”• An ad hoc working group was formed from several Huntsville-based
organizations: APT Research, U.S. Army Aviation & Missile Command, SAIC
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
17
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
18
The G-48 Committee’s Draft of MIL-STD-882E (Cont.)
• Throughout 2005 and into early 2006, the G-48’s 882E working group held several meetings to incorporate recommendations for improvement
• Primary Focus:
1) Simplifying Work Elementsand Process Flow
2) Modernizing the RiskAssessment Matrix
3) Introducing Risk Summation
1) Simplifying Work Elementsand Process Flow
2) Modernizing the RiskAssessment Matrix
3) Introducing Risk Summation
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
19
The G-48 Committee’s Draft of MIL-STD-882E (Cont.)
• February 2006: G-48’s Final Draft MIL-STD-882E submitted for review and approval through U.S. DOD standardization process
• Approved by nearly every DOD standardization member that reviewed it• Key non-concurrence by DOD’s Environment, Safety, and Occupation Health
(ESOH) Integrated Process Team (IPT); ESOH IPT took control• G-48 Committee did not want to lose all the improvements that we worked
so hard to incorporate. So…
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
20
“De-militarizing” the Draft 882E to Form an Industry Standard
• After the key non-concurrences derailed the G-48's Draft 882E, the Committee embarked on a new effort to rewrite the document as an industry (non-military) best practices standard.
• A 3-person team performed a thorough scrub of the document to remove all military-specific terminology, weapon system references, etc.
• Result was the first real draft of what would become GEIA-STD-0010• Additional Improvements:
– Emphasis on “Worst Case Risk” to replace “Most Reasonable Credible Mishap”– Added “Engineered Safety Features” (ESF) to System Safety order of precedence– Added guidance to describe hazards in terms of Source – Mechanism – Outcome
(SMO)
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
21
“De-militarizing” the Draft 882E to Form an
Industry Standard (Cont.)
• GEIA-STD-0010 published in October 2008
• Approved by ANSI in February 2009 and re-published as ANSI/GEIA-STD-0010-2009
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
22
Revision A of ANSI/GEIA-STD-0010-2009
• Feedback received from industry after the original version of GEIA-STD-0010 was released indicated that the standard needed something analogous to the DOD’s Data Item Descriptions, or DIDs
• In 2011, an effort was begun to develop Task Data Descriptions (TDDs), where appropriate, for tasks from Appendix B of GEIA-STD-0010
• Approach:– Compare tasks from MIL-STD-882C to new tasks in GEIA-STD-0010– Adapt existing DIDs referenced from 882C to become new TDDs for corresponding
tasks in GEIA-STD-0010– Develop new TDDs where necessary
• Purpose of Revision A was stated as:
…provide Task Data Descriptions (TDDs) for System Safety Tasks in Annex (sic) B of the Standard. TDDs are analogous to Data Item Descriptions (DIDs) found in military standards. The TDDs will be placed in a new appendix (Appendix C). This revision will also incorporate numerous editorial corrections to the current version of the standard.
The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
The Five Basic Elements of an Effective System Safety Program
23
1) Simplifying Work Elementsand Process Flow
2) Modernizing the RiskAssessment Matrix
3) Introducing Risk Summation
1) Simplifying Work Elementsand Process Flow
2) Modernizing the RiskAssessment Matrix
3) Introducing Risk Summation
The Five Basic Elements of an Effective System Safety Program(Continued)
24
Credit: From analysis of various risk management processes and presentation developed by APT Research, Huntsville, AL.
25
The Eight Program Elements outlined in MIL-STD-882D and earlier versions were combined and simplified into five, to provide a more concise representation of current consensus practices.
1. Documentation of the system safety approach
2. Identification of hazards3. Assessment of mishap risk4. Identification of mishap risk
mitigation measures5. Reduction of mishap risk to an
acceptable level6. Verification of mishap reduction7. Review and acceptance of
residual mishap risk by the appropriate authority
8. Tracking hazards and residual mishap risk
1. Program Initiation 2. Hazard Identification and
Tracking 3. Risk Assessment4. Risk Reduction5. Risk Acceptance
I – A – R - A
The Five Basic Elements of an Effective System Safety Program(Continued)
26
The Five Basic Elements of an Effective System Safety Program(Continued)
27
Improvements to the Traditional Risk Assessment Matrix
• Matrix from MIL-STD-882D
• Axes converted to logarithmic scales
• Note:• Highest risk at upper-
left• Huge variation in span
of risk covered by different cells
28
A “Pop Quiz”
Identify as many ways as possible that the risk matrix at right could be improved
- Flip vertical axis to have highest risk at upper-right
- Do not mix probability and frequency terms
- Provide quantitative bounds for likelihood and consequence scales
- Consider changing 4C, 3D, and 2E to High, or Yellow, Risk (Bonus question: Why?)
Good attribute: Numbering of consequence categories
Improvements to the Traditional Risk Assessment Matrix
29
DesignedOut
IFrequent
ASomewhatFrequent
BOccasional
CIntermittent
D
Hazard Frequency (Mishaps per <exposure interval>)
1 10
Infrequent
E0.01 0.1
VeryInfrequent
F0.001
ExtremelyInfrequent
G0.0001
High
Serious
Near Zero
H
Critical 3
HazardSeverity
Catastrophic 4
Marginal 2Negligible 1
$2M
$200K
$20K
Catastrophic 5$20M
Catastrophic 6$200M
Catastrophic 7$2B
$2K
0.000010
1 Fatal
10 Fatal
100 Fatal
1K Fatal
Low
de minimus
Medium
Typical 4x5 Matrix
Adapted from Fig. 11 of “A Common Mishap Risk Assessment Matrix for U.S. DoD Aircraft Systems,” D. Swallom, 23rd ISSC, 2005.
X
“Minimizability”
The Source-Mechanism-Outcome Model for Hazard Descriptions
30
• Previous definitions of “Hazard” did not always, or consistently, require enough information
• This model requires a hazard to be described in terms of its:– SOURCE (the physical presence – situation, configuration, material, items, their
characteristics, proximity and/or potential for interface, energy, etc. – that exists prior to, and enables, the initiation of an mishap sequence)
– MECHANISM (the complete sequence of events – actions, reactions, interactions, etc. – from initiation of the mishap, through to stable end state)
– OUTCOME (the end result of the subject accident sequence, specified in terms of the harm that would come to an asset of value; if a range of outcome severities was possible, it is understood that the outcome stated for the described hazard is that which, when paired with the probability of its occurrence, yields the highest risk, or probability-severity combination)
• Describing a hazard with this model prompts the analyst to identify ways in which:– The SOURCE can be eliminated, isolated, or otherwise protected– The MECHANISM can be interrupted if it should start– The OUTCOME can be mitigated
The Source-Mechanism-Outcome Model for Hazard Descriptions(Continued)
31
Source Mechanism Outcome
The Source-Mechanism-Outcome Model for Hazard Descriptions(Continued)
32
• A Practical Exercise– Improve upon the following hazard descriptions by re-stating them in terms of a
SOURCE, MECHANISM, and OUTCOME (be creative and invent the context)
• Slippery spot on walkway
• Extremely hot surface in microgravity payload canister
Pipe carrying oil in the space over narrow walkway (SOURCE) develops a leak; leaked oil accumulates on walkway; person using walkway slips on oil and falls (MECHANISM), sustaining a major injury (OUTCOME)
External surface of furnace in payload canister reaches 800○F during normal operation (SOURCE). Emergency abort from orbit necessitates re-entry to atmosphere before surface of furnace can cool; flammable gases in payload bay enter canister and are ignited by hot surface, causing explosion (MECHANISM). Spacecraft disintegrates during descent, causing death of all occupants (OUTCOME).
Summation of Total Risk
33
Partial System Risks (r) Assessed Individually:
r1 r2 r3 r4 rn…
Acceptable Level
r1 r2 r3 r4… rn
Total System Risk (R) Assessed as (r1 + r2 + r3 + r4 + … + rn):
Acceptable Level
?
Summation of Total Risk(Continued)
34
Individual hazard risk (r)
...
Total System Risk (R)
≈ Σ (ri)i=1
n
RISK TOLERANCE
r1
r2
r3
rn
Presentation Recap
35
– The work of the TechAmerica G-48 System Safety Committee in developing and publishing ANSI/GEIA-STD-0010-2009
– How a discipline can be advanced by standardizing its best practices– The 5 basic elements of an effective System Safety Program, as outlined in
ANSI/GEIA-STD-0010-2009– Attributes of a modernized risk assessment matrix– The Source-Mechanism-Outcome model for describing hazards, and how its use
helps in the identification of effective hazard controls– The concept of Summation of Total Risk
QUESTIONS?