Design for Safety
Description
A one-stop reference guide to design for safety principles and applications
Design for Safety (DfSa) provides design engineers and engineering managers with a range of tools and techniques for incorporating safety into the design process for complex systems. It explains how to design for maximum safe conditions and minimum risk of accidents. The book covers safety design practices, which will result in improved safety, fewer accidents, and substantial savings in life cycle costs for producers and users. Readers who apply DfSa principles can expect to have a dramatic improvement in the ability to compete in global markets. They will also find a wealth of design practices not covered in typical engineering books-allowing them to think outside the box when developing safety requirements.
Design Safety is already a high demand field due to its importance to system design and will be even more vital for engineers in multiple design disciplines as more systems become increasingly complex and liabilities increase. Therefore, risk mitigation methods to design systems with safety features are becoming more important. Designing systems for safety has been a high priority for many safety-critical systems-especially in the aerospace and military industries. However, with the expansion of technological innovations into other market places, industries that had not previously considered safety design requirements are now using the technology in applications.
Design for Safety:
- Covers trending topics and the latest technologies
- Provides ten paradigms for managing and designing systems for safety and uses them as guiding themes throughout the book
- Logically defines the parameters and concepts, sets the safety program and requirements, covers basic methodologies, investigates lessons from history, and addresses specialty topics within the topic of Design for Safety (DfSa)
- Supplements other books in the series on Quality and Reliability Engineering
Design for Safety is an ideal book for new and experienced engineers and managers who are involved with design, testing, and maintenance of safety critical applications. It is also helpful for advanced undergraduate and postgraduate students in engineering.
Design for Safety is the second in a series of "Design for" books. Design for Reliability was the first in the series with more planned for the future.
More details
Other editions
Additional editions
Persons
LOUIS J. GULLO works for Raytheon Missile Systems, Engineering Product Support Directorate (EPSD), in Tucson, AZ. He is a member of the technical staff and the technical leader for Software Reliability and Safety across Missile Systems. He has worked in the industry for 33 years. He retired as Lieutenant Colonel from the US Army Signal Corps.
JACK DIXON is President of JAMAR International, Inc., in Orlando, FL. He has worked in the defense industry for over 45 years in the areas of system safety, human factors engineering, logistics support, program management, and business development.
Content
Series Editor's Foreword xvii
Preface xix
Acknowledgments xxiii
Introduction: What You Will Learn xxv
1 Design for Safety Paradigms 1
Dev Raheja, Louis J. Gullo, and Jack Dixon
1.1 Why Design for System Safety? 1
1.1.1 What Is a System? 1
1.1.2 What Is System Safety? 2
1.1.3 Organizational Perspective 2
1.2 Reflections on the Current State of the Art 2
1.3 Paradigms for Design for Safety 3
1.3.1 Always Aim for Zero Accidents 4
1.3.2 Be Courageous and "Just Say No" 5
1.3.3 Spend Significant Effort on Systems Requirements Analysis 7
1.3.4 Prevent Accidents from Single as well as Multiple Causes 8
1.3.5 If the Solution Costs Too Much Money, Develop a Cheaper Solution 9
1.3.6 Design for Prognostics and Health Monitoring (PHM) to Minimize the Number of Surprise Disastrous Events or Preventable Mishaps 10
1.3.7 Always Analyze Structure and Architecture for Safety of Complex Systems 11
1.3.8 Develop a Comprehensive Safety Training Program to Include Handling of Systems by Operators and Maintainers 12
1.3.9 Taking No Action Is Usually Not an Acceptable Option 12
1.3.10 If You Stop Using Wrong Practices, You Are Likely to Discover the Right Practices 13
1.4 Create Your Own Paradigms 13
1.5 Summary 14
References 14
2 The History of System Safety 17
Jack Dixon
2.1 Introduction 17
2.2 Origins of System Safety 18
2.2.1 History of System Safety 19
2.2.2 Evolution of System Safety and Its Definitions 21
2.2.3 The Growth of System Safety 23
2.3 Tools of the Trade 30
2.4 Benefits of System Safety 31
2.5 System Safety Management 34
2.6 Integrating System Safety into the Business Process 34
2.6.1 Contracting for System Safety 34
References 36
Suggestions for Additional Reading 38
3 System Safety Program Planning and Management 39
Louis J. Gullo and Jack Dixon
3.1 Management of the System Safety Program 39
3.1.1 System Safety Management Considerations 40
3.1.2 Management Methods and Concepts 41
3.2 Engineering Viewpoint 44
3.2.1 Software Tools 45
3.2.2 Design Concepts and Strategy 45
3.2.3 System Development Process (SDP) 46
3.2.4 Systems Engineering V-Model 46
3.2.5 Requirements Generation and Analysis 48
3.2.6 System Analysis 49
3.2.7 System Testing 49
3.2.8 Risk Management 50
3.3 Safety Integrated in Systems Engineering 50
3.4 Key Interfaces 51
3.5 Planning, Execution, and Documentation 52
3.5.1 System Safety Program Plan 52
3.5.2 Safety Assessment Report 58
3.5.3 Plans Related to System Safety 60
3.6 System Safety Tasks 61
References 61
Suggestions for Additional Reading 62
4 Managing Risks and Product Liabilities 63
Louis J. Gullo and Jack Dixon
4.1 Introduction 63
4.2 Risk 68
4.3 Risk Management 69
4.4 What Happens When the Paradigms for Design for Safety Are Not Followed? 71
4.5 Tort Liability 72
4.6 An Introduction to Product Liability Law 73
4.7 Famous Legal Court Cases Involving Product Liability Law 75
4.8 Negligence 77
4.9 Warnings 79
4.10 The Rush to Market and the Risk of Unknown Hazards 80
4.11 Warranty 81
4.12 The Government Contractor Defense 83
4.13 Legal Conclusions Involving Defective and Unsafe Products 84
References 85
Suggestions for Additional Reading 86
5 Developing System Safety Requirements 87
Louis J. Gullo
5.1 Why Do We Need Safety Requirements? 87
5.2 Design for Safety Paradigm 3 Revisited 89
5.3 How Do We Drive System Safety Requirements? 93
5.4 What Is a System Requirement? 94
5.4.1 Performance Specifications 96
5.4.2 Safety Requirement Specification (SRS) 98
5.5 Hazard Control Requirements 98
5.6 Developing Good Requirements 100
5.6.1 Recognize Bad Requirements 101
5.6.2 Requirements at the Top of the Issues List 102
5.6.3 Examples Good Requirements for System Safety 103
5.6.4 Negative versus Positive Requirements 104
5.7 Example of Certification and Validation Requirements for a PSDI 105
5.8 Examples of Requirements from STANAG 4404 111
5.9 Summary 113
References 114
6 System Safety Design Checklists 115
Jack Dixon
6.1 Background 115
6.2 Types of Checklists 116
6.2.1 Procedural Checklists 116
6.2.2 Observational Checklists 118
6.2.3 Design Checklists 119
6.3 Use of Checklists 122
References 123
Suggestions for Additional Reading 124
Additional Sources of Checklists 124
7 System Safety Hazard Analysis 125
Jack Dixon
7.1 Introduction to Hazard Analyses 125
7.1.1 Definition of Terms 126
7.2 Risk 126
7.3 Design Risk 127
7.3.1 Current State of the Art of Design Risk Management 127
7.3.2 Expression of Risk 127
7.3.3 Risk Management 128
7.4 Design Risk Management Methods and Hazard Analyses 135
7.4.1 Role of Hazard Analysis 135
7.5 Hazard Analysis Tools 136
7.5.1 Preliminary Hazard List 136
7.5.2 Preliminary Hazard Analysis 138
7.5.3 Subsystem Hazard Analysis (SSHA) 140
7.5.4 System Hazard Analysis (SHA) 143
7.5.5 Operating & Support Hazard Analysis (O&SHA) 145
7.5.6 Health Hazard Analysis (HHA) 148
7.6 Hazard Tracking 150
7.7 Summary 152
References 152
Suggestions for Additional Reading 152
8 Failure Modes, Effects, and Criticality Analysis for System Safety 153
Louis J. Gullo
8.1 Introduction 153
8.1.1 What Is an FMEA? 154
8.1.2 What Is an FMECA? 154
8.1.3 What Is a Single Point Failure? 155
8.1.4 Definitions 156
8.2 The Design FMECA (D-FMECA) 156
8.3 How Are Single Point Failures Eliminated or Avoided in the Design? 158
8.4 Software Design FMECA 165
8.5 What Is a PFMECA? 172
8.5.1 What Is the Difference Between a Process FMECA and a Design FMECA? 172
8.5.2 Why PFMECAs? 173
8.5.3 Performing PFMECA, Step by Step 174
8.5.4 Performing PFMECA, Improvement Actions 180
8.5.5 Performing PFMECA and Reporting Results 181
8.6 Conclusion 182
Acknowledgments 182
References 182
Suggestions for Additional Reading 183
9 Fault Tree Analysis for System Safety 185
Jack Dixon
9.1 Background 185
9.2 What Is a Fault Tree? 186
9.2.1 Gates and Events 187
9.2.2 Definitions 187
9.3 Methodology 189
9.4 Cut Sets 193
9.5 Quantitative Analysis of Fault Trees 198
9.6 Automated Fault Tree Analysis 199
9.7 Advantages and Disadvantages 200
9.8 Example 200
9.9 Conclusion 207
References 207
Suggestions for Additional Reading 208
10 Complementary Design Analysis Techniques 209
Jack Dixon
10.1 Background 209
10.2 Discussion of Less Used Techniques 210
10.2.1 Event Tree Analysis 210
10.2.2 Sneak Circuit Analysis 213
10.2.3 Functional Hazard Analysis 217
10.2.4 Barrier Analysis 220
10.2.5 Bent Pin Analysis 222
10.3 Other Analysis Techniques 224
10.3.1 Petri Nets 225
10.3.2 Markov Analysis 225
10.3.3 Management Oversight Risk Tree (MORT) 226
10.3.4 System-Theoretic Process Analysis 228
References 230
Suggestions for Additional Reading 230
11 Process Safety Management and Analysis 231
Jack Dixon
11.1 Background 231
11.2 Elements of Process Safety Management 232
11.3 Process Hazard Analyses 236
11.3.1 What-If Analysis 238
11.3.2 Checklist 239
11.3.3 What-If/Checklist Analysis 239
11.3.4 Hazard and Operability Study 239
11.3.5 Failure Modes and Effects Analysis 241
11.3.6 Fault Tree Analysis 241
11.3.7 Equivalent Methodologies 242
11.4 Other Related Regulations 242
11.4.1 US Legislation 242
11.4.2 European Directives 244
11.5 Inherently Safer Design 244
11.6 Summary 247
References 247
Suggestions for Additional Reading 248
12 System Safety Testing 249
Louis J. Gullo
12.1 Purpose of System Safety Testing 249
12.1.1 Types of System Safety Tests 250
12.2 Test Strategy and Test Architecture 252
12.3 Develop System Safety Test Plans 256
12.4 Regulatory Compliance Testing 259
12.5 The Value of PHM for System Safety Testing 265
12.5.1 Return on Investment (ROI) from PHM 266
12.5.2 Insensitive Munitions 268
12.5.3 Introduction to PHM 269
12.6 Leveraging Reliability Test Approaches for Safety Testing 271
12.7 Safety Test Data Collection 273
12.8 Test Results and What to Do with the Results 276
12.8.1 What to Do with the Test Results? 276
12.8.2 What Happens If the Test Fails? 276
12.9 Design for Testability 277
12.10 Test Modeling 277
12.11 Summary 278
References 278
13 Integrating Safety with Other Functional Disciplines 281
Louis J. Gullo
13.1 Introduction 281
13.1.1 Key Interfaces for Systems Safety Engineering 282
13.1.2 Cross-Functional Team 283
13.1.3 Constant Communication 285
13.1.4 Digital World 285
13.1.5 Friend or Foe 286
13.2 Raytheon's Code of Conduct 288
13.3 Effective Use of the Paradigms for Design for Safety 290
13.4 How to Influence People 293
13.5 Practice Emotional Intelligence 295
13.6 Practice Positive Deviance to Influence People 299
13.7 Practice "Pay It Forward" 301
13.8 Interfaces with Customers 303
13.9 Interfaces with Suppliers 304
13.10 Five Hats for Multi-Disciplined Engineers (A Path Forward) 304
13.11 Conclusions 306
References 306
14 Design for Reliability Integrated with System Safety 307
Louis J. Gullo
14.1 Introduction 307
14.2 What Is Reliability? 308
14.3 System Safety Design with Reliability Data 312
14.4 How Is Reliability Data Translated to Probability of Occurrence? 316
14.5 Verification of Design for Safety Including Reliability Results 322
14.6 Examples of Design for Safety with Reliability Data 323
14.7 Conclusions 327
Acknowledgment 328
References 328
15 Design for Human Factors Integrated with System Safety 329
Jack Dixon and Louis J. Gullo
15.1 Introduction 329
15.2 Human Factors Engineering 331
15.3 Human-Centered Design 331
15.4 Role of Human Factors in Design 332
15.4.1 Hardware 332
15.4.2 Software 334
15.4.3 Human-Machine Interface 336
15.4.4 Manpower Requirements 336
15.4.5 Workload 337
15.4.6 Personnel Selection and Training 337
15.5 Human Factors Analysis Process 337
15.5.1 Purpose of Human Factors Analysis 337
15.5.2 Methods of Human Factors Analysis 338
15.6 Human Factors and Risk 338
15.6.1 Risk-Based Approach to Human Systems Integration 338
15.6.2 Human Error 344
15.6.3 Types of Human Error 345
15.6.4 Mitigation of Human Error 346
15.6.5 Design for Error Tolerance 347
15.7 Checklists 347
15.8 Testing to Validate Human Factors in Design 350
Acknowledgment 350
References 350
Suggestions for Additional Reading 351
16 Software Safety and Security 353
Louis J. Gullo
16.1 Introduction 353
16.2 Definitions of Cybersecurity and Software Assurance 358
16.3 Software Safety and Cybersecurity Development Tasks 368
16.4 Software FMECA 373
16.5 Examples of Requirements for Software Safety 374
16.6 Example of Numerical Accuracy Where 2 + 2 = 5 377
16.7 Conclusions 378
Acknowledgments 378
References 378
17 Lessons Learned 381
Jack Dixon, Louis J. Gullo, and Dev Raheja
17.1 Introduction 381
17.2 Capturing Lessons Learned Is Important 382
17.3 Analyzing Failure 383
17.4 Learn from Success and from Failure 385
17.5 Near Misses 387
17.5.1 Examples of Near Misses That Ended in Disaster 388
17.6 Continuous Improvement 392
17.7 Lessons Learned Process 395
17.8 Lessons Learned Examples 396
17.8.1 Automobile Industry Lessons Learned from the Takata Airbag Recall 396
17.8.2 Automobile Industry Lessons Learned from the 2014 GM Recall 398
17.8.3 Medical Safety 406
17.8.4 Hoist Systems 411
17.8.5 Internet of Things 413
17.8.6 Explosion in Florida 415
17.8.7 ARCO Channelview Explosion 417
17.8.8 Terra Industries Ammonium Nitrate Explosion 418
17.9 Summary 418
References 419
Suggestions for Additional Reading 421
18 Special Topics on System Safety 423
Louis J. Gullo and Jack Dixon
18.1 Introduction 423
18.1.1 Why Are Many Commercial Air Transport Systems Safe? 424
18.1.2 How Many Aircraft In-Flight Accidents and Fatalities Occur in Recent Times and over History? 425
18.2 Airworthiness and Flight Safety 431
18.3 Statistical Data Comparison Between Commercial Air Travel and Motor Vehicle Travel 432
18.3.1 How Many Motor Vehicle Accidents Occurred Recently and in the Past? 432
18.3.2 When Do Systems Improve Safety? 433
18.4 Safer Ground Transportation Through Autonomous Vehicles 435
18.5 The Future of Commercial Space Travel 438
18.6 Summary 441
References 442
Appendix A: Hazards Checklist 443
Reference 449
Appendix B: System Safety Design Verification Checklist 451
Reference 472
Index 473
Introduction: What You Will Learn
Chapter 1 Design for Safety Paradigms (Raheja, Gullo, and Dixon)
This chapter introduces the concept of design for safety. It describes the technical gaps between the current state of the art and what it takes to design safety into new products. This chapter introduces ten paradigms for safe design that help you do the right things at the right times. These paradigms will be used throughout the book as guiding themes.
Chapter 2 The History of System Safety (Dixon)
This chapter provides a brief history of system safety from the original "fly-fix-fly" approach to safety, to the 1940s' hints at a better way of doing aircraft safety, to the 1950s' introduction of the term "system safety," and to the Minuteman program that brought the systematic approach to safety to the mainstream. Next, the development of and history of MIL-STD-882 is discussed. The growth of system safety and various hazard analyses techniques over the years are covered in detail. The expansion of system safety into the nonmilitary, commercial arena is discussed along with numerous industry standards. Tools of the trade, management of system safety, and integration of system safety into the business process are summarized.
Chapter 3 System Safety Program Planning and Management (Gullo and Dixon)
This chapter discusses the management of system safety in detail. It describes how system safety fits into the development cycle, how it is integrated into the systems engineering process, and what the key interfaces are between system safety and other disciplines. The System Safety Program Plan is described in detail as well as how it is related to other management plans. Another important document, the Safety Assessment Report, is also outlined in detail.
Chapter 4 Managing Risks and Product Liabilities (Gullo and Dixon)
In this chapter, the importance of product liability is emphasized beginning with some financial statistics and numerous examples of major losses due to bad design. The importance of risk and risk management is described. This chapter includes a brief summary of product liability law and what it means to the safety engineer and the organization developing the product or system.
Chapter 5 Developing System Safety Requirements (Gullo)
This chapter's main emphasis is on developing safety requirements including why we need them and why they are so important. We discuss what requirements are and how they enter into various types of specifications. This chapter covers in detail how to develop good safety requirements and provides examples of both good and bad requirements.
Chapter 6 System Safety Design Checklists (Dixon)
This chapter introduces various types of checklists and why they are an important tool for the safety engineer. It covers procedural, observational, and design checklists and provides examples of each type. The uses of checklists are also discussed, and several detailed checklists are provided in the appendices of the book.
Chapter 7 System Safety Hazard Analysis (Dixon)
This chapter introduces some terminologies and discusses risk in detail as an introduction to hazard analyses. After that, it covers several of the most widely used hazard analysis techniques including preliminary hazard list, preliminary hazard analysis, subsystem hazard analysis, system hazard analysis, operating and support hazard analysis, and health hazard analysis. The chapter ends with a discussion of hazard tracking and its importance.
Chapter 8 Failure Modes, Effects, and Criticality Analysis for System Safety (Gullo)
This chapter describes how the Failure Modes and Effects Analysis (FMEA) and Failure Modes, Effects, and Criticality Analysis (FMECA) are useful for system safety analysis. It discusses various types of FMEAs including Design FMECA, Software Design FMECA, and Process Failure Modes, Effects, and Criticality Analysis (PFMECA) and how they may be applied in a number of flexible ways at different points in the system, hardware, and software development life cycle.
Chapter 9 Fault Tree Analysis for System Safety (Dixon)
Fault Tree Analysis (FTA) is covered in this chapter. It is a very popular type of analysis used in system safety. It is a representation in tree form of the combination of causes (failures, faults, errors, etc.) contributing to a particular undesirable event. It uses symbolic logic to create a graphical representation of the combination of failures, faults, and errors that can lead to the undesirable event being analyzed. The purpose of FTA is to identify the combinations of failures and errors that can result in the undesirable event. This chapter provides a brief history of the development of FTA and provides a detailed description of how the analyst creates and applies FTA.
Chapter 10 Complementary Design Analysis Techniques (Dixon)
This chapter covers several additional popular hazard analysis techniques including event trees, sneak circuit analysis, functional hazard analysis, barrier analysis, and bent pin analysis. It also provides brief introductions to a few additional techniques that are less often used including Petri nets, Markov analysis, management oversight risk tree, and system-theoretic process analysis.
Chapter 11 Process Safety Management and Analysis (Dixon)
This chapter introduces Process Safety Management (PSM). It is an effort to prevent catastrophic accidents involving hazardous processes that involve dangerous chemicals and energies. It applies management principles and analytic techniques to reduce risks to processes during the manufacture, use, handling, storage, and transportation of chemicals. A primary focus of PSM is on hazards related to the materials and energetic processes present in chemical production facilities, but it can also be applied to facilities that handle flammable materials, high voltage devices, high current load devices, and energetic materials, such as rocket motor propellants. In this chapter we discuss the regulatory requirement for PSM, elements of PSM, hazard analysis techniques, and related regulations and end with a discussion of inherently safer design.
Chapter 12 System Safety Testing (Gullo)
In this chapter we discuss the purpose and importance of safety testing. The different types of safety tests are described along with the test strategy and test architecture. The development of safety test plans is covered. This chapter contains a section on testing for regulatory compliance and discusses numerous national and international standards. The topic of Prognostics and Health Monitoring (PHM) is introduced along with a discussion of the return on investment associated with PHM. We also discuss how to leverage reliability test approaches for safety testing. Safety test data collection is covered along with what to do with test results. The chapter is ended with a discussion on designing for testability and test modeling.
Chapter 13 Integrating Safety with Other Functional Disciplines (Gullo)
In this chapter, we cover several ways of integrating safety with other engineering and functional disciplines. We discuss the many key interfaces to system safety engineering, and we define the cross-functional teams. We have touched on modern decision-making in a digital world and on knowing who are your friends and your foes. The importance of constant communication is emphasized. We talk about a code of conduct and values. This chapter introduces paradigms from several different sources and how they relate to system safety and how their application can make you a better engineer and help make you and your organization more successful.
Chapter 14 Design for Reliability Integrated with System Safety (Gullo)
The integration with all functional disciplines is very important for effectively and efficiently practicing system safety engineering, but the most important of these functional discipline interfaces is the interface to reliability engineering. This chapter builds on and applies the lessons from Chapter 13 to establish a key interface with reliability engineering. In this chapter we discuss what reliability is and how it is intertwined with system safety. Specifically we discuss how system safety uses reliability data and how this data is used to help determine risk. We conclude the chapter with examples of using reliability data to design for safety.
Chapter 15 Design for Human Factors Integrated with System Safety (Dixon and Gullo)
In starting this chapter, we refer back to the previous two chapters where we discussed the ways system safety engineers should integrate and interface with other types of engineers and functional disciplines and, in particular, with reliability engineering. Another important engineering interface for a system safety engineer is Human Factors Engineering (HFE). System safety benefits greatly from a well-established and reinforced interface to HFE. In this chapter we define HFE and its role in design of both hardware and software. We discuss the Human-Machine Interface (HMI), the determination of manpower and workload requirements, and how they influence personnel selection and training. We detail how human factors analysis is performed and how the various tools are used. Also discussed is...
