thank you sponsors, exhiBitors, & partners! Corporate sponsor
Sikorsky Aircraft Corporation . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .14
Gold sponsors A-P-T Research, Inc . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .4 Boeing . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Lockheed Martin . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 20 . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . .11 Lockheed Martin Aeronautics Company . . . . .
. . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . .3
silver sponsors Atlantic Software Technologies, Inc . . . . . . . .
. . . . . . . . . . . . . . 29 . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .13 Bastion Technologies, Inc . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 33 . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .3 Isograph, Inc . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 49 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . .2 University of Maryland . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 47 . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . .12
exhibitors Advanced Logistics Development . . . . . . . . . . . . .
. . . . . . . . . . . 39 . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . .15 Board of Certified Safety Professionals . . . .
. . . . . . . . . . . . . . . 24 . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .8 Electric Power Research Institute . .
. . . . . . . . . . . . . . . . . . . . . 44 . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .9 International System
Safety Society . . . . . . . . . . . . . . . . . . . . . 51 . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .7 MathWorks,
Inc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 36 . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . .5
partner The Institute of Engineering and Technology
Advertisement Page Booth Location
System Safety Society • P.O. Box 70, Unionville, VA 22567-0070 USA
• www.system-safety.org
Cover images courtesy of Greater Boston Convention & Visitors
Bureau. Designed and published by A-P-T Research, Inc.
Publications.
12131415 11 10
4321 5 6
7 8 9
Paper Presentations• Tutorials• Panel Discussions• Just In Time
Sessions•
THINGs TO DO IN BOsTON
Freedom Trail, Fenway Park, New England Aquarium,
Museum of Science, Boston Common, Paul Revere
House, Samuel Adams Brewery, Museum of Fine Arts,
Boston Harbor Islands, Faneuil Hall Marketplace
ProgramIS SC
20 13
EN C
Opening Ceremony/General Meeting/LunchesRegistration
Reception/Exhibitor Area
ATRIUM AREA
RESTAURANT
SIMMONS BOSTON UNIV.
BALLROOM FOYER
Organizing COmmittee
COntents General Information
.....................................................................................................................................................
2 Greetings
........................................................................................................................................................................
5 Speakers
........................................................................................................................................................................
10 Schedule
.......................................................................................................................................................................
12 Tutorials
.......................................................................................................................................................................
21 Panel Discussions/Forums
.........................................................................................................................................
26 Workshops
....................................................................................................................................................................
26 Paper Presentations
....................................................................................................................................................
30 Special Functions
........................................................................................................................................................
50 About the System Safety Society
..............................................................................................................................
52
Conference Chair Pam Alte
Sponsor/Exhibitor Chair Lindsey Eirich
International Chair Bob Fletcher
Financial Chair Cathy Carter
Off-Site Events Alan Oliver
The following volunteers contributed to the success of the
conference.
Pam Alte, 31th ISSC Chair
2
general infOrmatiOn registration Desk: All 31st ISSC attendees,
including sponsors and exhibitors, must register at the
registration desk located on the 4th Floor. Registered attendees
will receive badges, which should be displayed while in any ISSC
area (including luncheons). Once a badge is issued it is the
responsibility of the registrant to ensure that it is not lost.
Sponsors may change the names on their badges as often as they
want, but the old one must be turned in to receive a new
name.
special events: Spouses or exhibitors may purchase tickets for
luncheons or the off-site event at the registration desk up to
24hrs prior to the event. Tickets for the Wednesday night off-site
event at the Museum of Science will be $90.00 for adults or $55.00
for children. Tickets to the luncheons on Tuesday, Wednesday, and
Thursday are $45.00/lunch for any attendee. Spouses and guests are
welcome to attend the Tuesday evening Sponsors and Exhibitor social
free of charge.
internet: Internet will not be provided in the conference
locations. However, should you require internet access during the
conference, there is complimentary wireless available in the lobby
and other public areas. There are also internet options available
to each guest in their room.
transportation: The Marriott Copley Place is located 3.2 miles away
from the airport. The subway cost (one way) is $2.50, and the
estimated taxi cost is $35.00. While rental cars are
available, parking costs in Boston tend to be pricey. Alternative
means of getting around include taxis, the subway, or
walking.
tutorial Program & CeUs: The conference includes several
information-packed tutorials in addition to the papers being
presented. Attending tutorials, along with other elements of the
Technical Program at the 31st ISSC, meets the requirements for
Continuance of Certification credit through the Board of Certified
Safety Professionals (BCSP). Continuing Education Units (CEUs) will
be issued for participation in the Conference tutorials. You must
be present for the entire tutorial in order to be granted the CEUs.
Attendance will be taken at the start of the tutorial, after each
break, and you must be present at the end to collect your
certificate. CEUs are issued on the basis of 0.1 CEU per
instructional contact hour.
Dress Code: We want you to feel comfortable while you are attending
the 31st ISSC, so we advise ‘business casual’ attire. The awards
ceremony, which is a part of the Thursday luncheon, is a time when
many attendees will dress in more formal business attire. The
Tuesday night Sponsor and Exhibitor social and the Wednesday night
off-site event are also business casual dress.
Daily news: The ISSC Daily News will be available at 7:30 each
morning, both at the registration desk, and in the
Sponsor/Exhibitor area. This will announce any room changes,
schedule changes, or other information pertinent to the
proceedings of the conference.
spousal Program: There are no tours provided by the ISSC for
spouses this year. However there is an information session to be
held on Monday. Brochures will be made available, along with maps
and ideas of attractions to visit. If a spouse is unable to make
this information session, the hotel concierges can answer questions
about local attractions, how to use the subway, available tours, or
dining suggestions.
Wednesday night Off-site event: Bus transportation will leave the
Marriott Copley Place starting at 6:00pm and bring attendees to the
Museum of Science. The ISSC will have the Blue Wing reserved from
6:30pm to 10:30pm, and will receive a private lightning
demonstration in the Theater of Electricity, buffet dinner, and a
cash bar. Spousal/guest tickets can be bought at the registration
desk up until 24 hours before, however to ensure a smoothly- run
event we encourage you to purchase extra tickets when you register.
This is sure to be an event you won’t want to miss!
Program ISSC2013
3
Safety is paramount. That’s why at Lockheed Martin, safety is
designed into everything we do. Our system safety engineers follow
proven government
and industry standards, plans, processes and lessons learned to
build the world’s most safe, supportable and technologically
advanced aircraft.
Lockheed Martin is proud to sponsor this year’s International
System Safety Conference and applaud their mission to ensure system
safety for the long run.
www.lockheedmartin.com
© 2
5
greetings From the Society PreSident As the newly elected Society
President, I want to welcome you to the 31st International System
Safety Conference. I have been working in system safety since 1985
and I find this to be a rewarding and exciting career field. What I
have liked most about the field is the fact that I find every new
assignment involves working with new and varied types of systems. I
love the challenge, and I appreciate that I am fortunate to have a
job where my work makes a difference in the safety of our systems.
We as System Safety Professionals have the unique privilege of
impacting our society in such a positive way.
This year marks the Golden Anniversary of our society and we trust
this year’s conference will live up to your expectations. We have
come a long way since the early days of this society. Technology
has transitioned from vacuum tubes to liquid crystal displays,
launching unmanned satellites to commercial space flights,
computers the size of a room to tablets with more and more
capability daily. Some of our founding members will be in
attendance at this conference and they will be participating in our
opening session. I know I am looking forward to hearing from them
and their unique challenges.
I am also looking forward to hearing about the unique challenges we
face with the latest in technology in our society. The impact of
new technology on society, and the motivation to trust more of our
safety critical applications to the latest in today’s innovations
creates ever steeper challenges for us. This conference helps us to
meet the challenge. We have outstanding technical sessions, world
leading safety professionals in attendance, opportunities to
network, and opportunities to find solutions to our every day
safety dilemmas.
Our Conference Chair, Pam Alte, and her team have done an
outstanding job in putting together this conference. We have a
number of interesting technical tracks at this conference. Our
speakers include some of the biggest names in the field. Our
sponsors are among the best in the industry and clearly we value
their contributions to making our world a safer place.
So thank you for coming to this conference. I hope you are looking
forward to the opportunities we have in the coming week as much as
I am.
Robert A. Schmedake President, System Safety Society
6
System Safety Engineering & Analysis
Phone: 256.327.3373 Fax: 256.837.7786 www.apt-research.com
Founded in 1990, APT (Analysis, Planning, Test) is an
employee-owned, small business located in Cummings Research Park
near Redstone Arsenal in Huntsville, Alabama. Our corporate vision
is to provide state-of-the-art expertise and ensure the highest
levels of customer satisfaction.
Photo: Missile Defense Agency
7
greetings From the chaPter PreSident Here ye, here ye, welcome to
Boston for the 31st International System Safety Conference! Boston
is the largest city in New England and one of the oldest in the
United States. No hiding in your hotel – get out and enjoy the
city’s history where key events of the American Revolution took
place including the Boston Massacre and the Boston Tea Party. For
fun and entertainment, visit the Samuel Adams brewery and Bull
& Finch pub (from Cheers!). We are all Red Sox fans this week,
so feel free to visit Fenway Park or view the city from atop the
John Hancock or Prudential buildings. Boston has a red brick trail
through the city that leads you past many of the historical
locations – it’s called the Freedom Trail. Walking this path brings
you from the Boston Common past locations including Granary Burying
Ground, Boston Massacre site, Faneuil Hall, Paul Revere’s house,
Old North Church, and then across the Charles River to the Bunker
Hill Monument and USS Constitution!
The Northeast Chapter and SSS Executive Committee (EC) have worked
hard with this year’s Conference Chair, Pam Alte. If you run into
Pam, make sure you stop and thank her for the volunteer hours and
effort she has poured into this conference. The economy is
providing challenges to pull together a successful conference, but
Pam with the EC’s support has been more than up to the task.
“Safety For The Long Run” is such a poignant theme for this year’s
Boston conference, with the Boston Marathon bombings bringing
safety to the forefront. Other recent events, such as aviation,
train and industrial accidents have sharpened the focus on how
critical the safety discipline is in all our lives. For the
conference, we are all challenged to learn something new. I ask
that all attendees stay engaged with the conference papers and
presentations, and to promote the system safety discipline.
Scott Beecher President Northeast Chapter System Safety
Society
8
multiple missions. It’s dependable and durable,
and I have complete confidence in its proven per-
formance. Sikorsky not only sets the standard for
rotorcraft excellence and safety, they exceed it.
It’s evident in everything from the reliable per-
formance of my BLACK HAWK to the way they
support me in the field. There’s simply no better
helicopter for any requirement, whether it’s utility,
combat search and rescue, or firefighting. The way
I see it, not every pilot gets to fly in a helicopter
this good. But they should.
Sikorsky.
9
greetings From the conFerence chair On behalf of the entire ISSC
planning committee, I would like to extend a warm welcome to you.
We have worked hard to make this conference a world-class success.
Whether this is your first visit to Boston, or you have been here
before, I hope you get a chance to relax and enjoy our beautiful
New England city. Boston has something for everyone, from
historical sites, to exciting downtown locations, sports arenas,
and fabulous shopping. Our off-site event will be held in the
Museum of Science, complete with Wolfgang Puck catering, and our
own private Lightning Show.
The System Safety Society is proud to host an annual conference
that provides practitioners from different industries a chance to
get together, network and learn from each other. Unfortunately, the
US budget sequestration restricted travel for Government workers so
our numbers are down this year. I would like to assure all
attendees that although this year’s conference will be smaller than
previous years, the standards to which we held our papers and
tutorials were not lowered. You can expect top notch
presentations.
The theme for this year’s conference, Safety for the Long Run,
picks up on a number of parallels between the types of things one
might do to prepare for a marathon race, and elements of an
effective system safety program. These include the importance of
proper training, having a well thought out plan, getting off to a
good start, avoiding obstacles and distractions, and keeping enough
in reserve for a successful sprint to the finish. I think you will
agree that this year’s conference will help prepare you well.
One of our objectives was to try to attract more young people who
could especially benefit from the knowledge and experience of many
of the Society’s “grey beards.” We will have several student
members in attendance, and I hope you will join me in making them
feel welcome. I am also pleased to announce this year we will have
a new track: lifecycle safety. These papers will discuss system
safety as it moves past the development stage, which is where the
majority of our previous discussions have stopped. In addition to
our many papers and tutorials being offered, there is the potential
for “Just in Time” sessions to be held. A board for suggesting
topics you would like to have added to discussions will be located
at the registration desk, or you can coordinate with Norm Gauthier,
one of our Technical Co-Chairs.
We wish you an enjoyable and enlightening conference experience.
Should there be anything you require to make your conference
experience better, please don’t hesitate to reach out to me, Cliff
Parizo, or any of the other Conference Committee volunteers.
Again, enjoy your visit and thank you for your support by being
here. I would also like to send a big thank you to those who helped
plan this conference, our sponsors & exhibitors, and especially
to Sikorsky Aircraft for partnering with us to make this conference
a reality.
Sincerely, Pam Alte 31st ISSC Conference Chair
10
sPeakers rex B. Gordon, mPh, Pe, cSP; Fellow member emeritus,
opening ceremonies 50th celebration Speaker
Rex Gordon is a 50 year Charter Member, and current Historian of
the System Safety Society. He is a past President and Editor of the
Journal. He served as Chairman of the 2nd ISSC, and both the
Northeast and Southern California Chapters. He has represented the
Society on the boards of the Reliability and Maintainability
Symposium (RAMS) and Certified Safety Professionals (CSP). He is a
Chapter Member and past Chairman of the Government Electronic
Industries Association (GEIA) G-48 System Safety Committee. He has
co-authored two text books, and over 15 published papers. He has
lectured at the George Washington University, and USC. He has
represented the Society at functions held in the White House, the
Pentagon, in Germany, Holland, and Paris.
His is retired after 40 years of employment as a System Safety
Engineering Specialist, Manager, and Consultant. He currently lives
with his wife of 61 years in Fallbrook, CA.
James P. Keller, Jr., m.S., ecri institute, Keynote Speaker As Vice
President, Health Technology Evaluation and Safety, James Keller
directs ECRI Institute’s internationally recognized Health Devices
Evaluation Program that provides independent judgment and guidance
to help hospitals and health systems select and manage medical
devices. The program was referred to by the New York Times as the
“country’s most respected laboratory for testing of medical
products.” He serves as a member of ECRI Institute’s Executive
Committee, which is responsible for overall governance of ECRI
Institute operations.
Mr. Keller is also responsible for the Health Devices Alerts
notification service for medical product hazards and recalls;
Alerts Tracker, a web-based tool for managing hazards and recalls
of medical products; Biomedical Benchmark, a resource to help
hospitals manage their medical equipment service activities; an
annual series of interactive webinars on health technology issues;
and the International Medical Device Problem Reporting
System.
Mr. Keller is a recognized expert and frequently invited speaker on
a wide range of health technology- related topics including patient
safety, equipment management, strategic planning and forecasting,
device utilization, nomenclature and asset management, and the
convergence of medical devices and information systems. He is a
regular contributor to ECRI Institute’s Patient Safety Blog and is
routinely sought out by the news media for his expertise on a
variety of health technology concerns.
Mr. Keller is President of the board for the American College of
Clinical Engineering and is a member of the board for the Health
Technology Foundation. He joined ECRI Institute in 1984 after
completing a Master of Science degree in biological engineering
from the University of Connecticut and a Bachelor of Science degree
in zoology from the University of Massachusetts.
Program ISSC2013
dr. nancy Leveson, massachusetts institute of technology, Sponsor
& exhibitor Luncheon Speaker
Dr. Leveson holds a Ph.D. from UCLA. She was a Computer Science
professor at the University of California, then became Boeing
Professor of Computer Science and Engineering at the University of
Washington.
Professor Leveson’s research focuses on topics related to the
design of complex systems containing software, hardware, and human
components. Her goal is to stretch current limits of complexity and
intellectual manageability of the systems we can build with
reasonable resources and with confidence in their expected
behavior, particularly safety. Current research topics include
model-based system and software engineering, system and software
safety, software requirements specification and analysis,
human-computer interaction, reusable component-based system
architectures, interactive visualization, human-centered system
design, and comprehensive approaches to risk management that
include the organizational, political, managerial, and social
aspects of system construction and operation. New work is starting
in
security. Current applications include space, aircraft, autos, rail
systems, nuclear power, medical devices, hospital safety, defense
systems, and others.
dr. John mcdermid, the University of york, U.K., international
Luncheon Speaker Professor John A. McDermid has been Professor of
Software Engineering at the University of York since 1987 where he
runs the High Integrity Systems Engineering (HISE) research group.
Also, he was Head of the Department of Computer Science from 2006
to 2012. The HISE research group studies a broad range of issues
mainly in systems, software and safety engineering, and works
closely with the UK aerospace industry, but has worked in a number
of domains including automotive, medical and railways.
In 2010, he was appointed a Consulting Professor at Beijing
Jiaotong University (BJTU), and now runs a collaborative research
programme in railway safety with BJTU, known as the Railway Safety
Technology Research Centre (RSTRC). He has extensive experience as
a consultant, including advising the Ministry of Defence (MoD) on
the development of DS 00-56 Issues 3 and 4. He is a member of the
UK Defence Scientific Advisory Council. He is author or editor of
six books, and has published approximately 360 papers.
12
sCheDUle monday, 12 aUGUSt 4th Floor: 8:00 - 5:00 Registration
Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 -
5:00 Presenter Prep
Salons A-E Berkley Clarendon 8:00 - 8:50
Hazard Analysis (Barondes)
Quantitative Aspects of Common Cause Failures and Review of
Commonly Applied Models Wind, Schedl, Floetzer
Ground Transportation (Millin)
Achieving Safety Confidence of a Large Scale System Product and its
Applications Shi
9:00 - 9:50
Identification of Safety Critical System, Hardware, and Software
Requirements Using Fault Trees Rainey
Failure Logic Automata for Future Oriented Safety Assessment of
Train Control System Zhou, Zhao
10:30 - 11:20
The Role of Architectural Model Checking in Conducting Preliminary
Safety Assessment Jaradat, Graydon, Bate
Are We Ready for Driverless Cars? West
Lunch Break, Salons A-E
Opening Ceremonies/ General Session
Opening Ceremonies 50th Celebration Speaker: Rex B. Gordon, MPH,
PE, CSP; Fellow Member Emeritus Keynote Speaker: James P. Keller,
Jr. M.S. ECRI Institute
2:30 - 3:20
4:00 - 4:50
Program ISSC2013
Tutorial
Hands-On System Safety Basics, Focused On FHA Winkelbauer, Schedl
(3 hrs)
Tutorial
Introduction to Fault Tree Analysis Using CAFTA Software Roy (3
hrs)
Committee & Group Meetings
14
sCheDUle tUeSday, 13 aUGUSt 4th Floor: 8:00 - 5:00 Registration
Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 -
5:00 Presenter Prep
Arlington Berkley Clarendon Dartmouth 8:00 - 8:50
Tutorial
A Tutorial on STPA : A New, More Powerful Hazard Analysis Technique
Leveson, Thomas (6 hrs)
Hazard/Risk Management (Parizo)
Workplace Safety (Kondreck)
Thermal Protection and Thermal Comfort: An Evaluation of the
Fabrics Used in Chef’s Uniforms Against Thermal Hazards in the
Kitchen Zhang, Batcheller, McQueen
Open Forum (Fletcher)
9:00 - 9:50
National Aerospace Standard 411 Update Sheehan
A Roadmap for Future Noise Control in Acquisition: Acoustical
Engineering Controls and Estimated Return on Investment for DOD
Selected High Noise Sources Fischer, Yankaskas, Page
10:30 - 11:20
System Safety Design for Safe Operation of Radars Bartos
Sponsor & Exhibitor Luncheon, Salons A-E, Guest Speaker: Dr.
Nancy Leveson, Massachusetts Institute of Technology Menu: New
England Clam Chowder, Grilled Sirloin, Shiitake Mushroom Risotto,
Seasonal Vegetables, Port Wine Reduction Key Lime Tart, in a
Hazelnut Crust, Blackberry Pate de Fruit 1:30 - 2:20
Tutorial (continued)
Dependability Techniques Applied to Space Software - A Research
Project Report Lahoz, Abdala
Aerospace Safety (Kraemer)
Systems-Based Approach to Flight Safety Management in Airlines Chi,
Xu, Qi, Shao
Software Safety (Schmedake)
Safety and/vs. Security: Towards a System Engineering Approach for
Trust? Schoitsch
2:30 - 3:20
The Principles of Software Safety Assurance Hawkins, Habli,
Kelly
Use of Master Minimum Equipment List (MMEL) To Ensure Safe Dispatch
Durmaz
Anatomy of a Safety Critical Software Function Church
4:00 - 4:50
Formal Modelling in the Development of Dependable Systems
Troubitsyna
Safety Culture: An Examination of the Relationship Between a Safety
Management System and Pilot Judgment Using Simulation in
Aeronautics Campbell
Software Risk: The Third Rail of Safety Analysis Hildreth,
Elcock
6:30 - 8:30
Program ISSC2013
Tutorial
Assurance Cases As Means of Evidence Based Developed of Critical
Systems Despotou (3 hrs)
Tutorial
Practical Generation of Safety Cases With the Help of GSN
Gerstinger, Schedl (3 hrs)
Committee & Group Meetings
Workshop
Application of System Safety Methods to Systems of Systems Joyce,
Debouk, Vergara (3 hrs)
Workshop
Advancing Safety By Reducing Errors: A Fresh Approach Autrey (3
hrs)
Tutorial
Improving Safety Management by Using a Risk Management Policy in
Your Daily Operations Fitzgerald (3 hrs)
Committee & Group Meetings (continued)
16
sCheDUle WedneSday, 14 aUGUSt 4th Floor: 8:00 - 5:00 Registration
Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 -
5:00 Presenter Prep
Arlington Berkley Clarendon Dartmouth 8:00 - 8:50
Human Factors (Robins)
Public Safety (Fletcher)
The Study on the Accident Causation Rule of Macroscopic Accidents
in China Zeng, Luo, Tian
Lifecycle Safety (Swallom)
Exxon Valdez: Human Error, Plain and Simple Barondes
Technical and Economic Aspects of Industrial Safety at the Large
Enterprise with Distributed Sites Located in a Megacity
Zheleznov
Development of a System Safety Case for Automotive
Electric/Electronic Systems Sundaram, Hartfelder
10:30 - 11:20
Analysis of Potential Driver Startle in the Safety Assessment of
Advanced Propulsion Systems Vernacchia, Green, Llaneras
Instrumentation for Detection of Hazardous Materials under the
Russian National Measures to Ensure Safety of Population
Transportation Smirnov, Yurkov, Syagin, Koshina
Utilizing Error Prevention Event Collection Documents to Augment
Error Prevention Processes Laabs, Allison, Russell
International Luncheon, Salons A-E, Guest Speaker: Dr. John
McDermid, The University of York, UK Menu: Asian Inspired Salad,
Teriyaki Chicken, Coconut Rice, Seared Bok Choy, Triple Chocolate
Tower: White, Dark, and Milk Chocolate Mousse Towering atop Devil’s
Food Cake, Ganache, and Berry Sauce 1:30 - 2:20
Workshop
Safety Topics (Gauthier)
Introducing Safety Assurance Influenced Design of Health IT Systems
Despotou, Luckcuck, Kelly, Jones
Risk Assessment (Karedes)
Quantitative Risk Assessment in Aviation Safety Risk Management
Hewitt, Pham
Tutorial
Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking
System Behnke, Damstra, Villhauer (2 hrs)2:30 -
3:20 How Complex Systems Fail-I: Decomposition of the Failure
Histogram Zito
4:00 - 4:50 6:00 - 10:00
Wolfgang Puck Dinner and Lightning Show at the Museum of
Science
Program ISSC2013
Tutorial
Why You Should Care About the “-Ilities”! Southwick (3 hrs)
G-48 Meeting
9:00 - 9:50
Research on Evaluation Index and Method of CRM Dynamic Training
Wang, Liu, Bai, Liu, Guo, Guo
10:30 - 11:20
Human Reliability Analysis for Detection and Suppression Activities
in Response to Fire Events Garvey, Joglar, Collins
1:30 - 2:20
Tutorial
Where Hard Meets SOFT: Human Factors Role In System Safety
Engineering Brisbois (2 hrs)
Workshop
Aircraft Fire & Explosion – How Safe are the Friendly Skies
Moussa
G-48 Meeting (continued)
Tutorial
Using Risk Profiles for Safety Management of Large Scale Operations
Fitzgerald (3 hrs)
2:30 - 3:20
4:00 - 4:50
18
sCheDUle thUrSday, 15 aUGUSt 4th Floor: 8:00 - 5:00 Registration
Simmons Room: 6:30 - 8:00 Speakers’ Breakfast Regis Room: 8:00 -
5:00 Presenter Prep
Berkley Clarendon Dartmouth 8:00 - 8:50
Space Systems (Durmaz)
Using the System Safety Management Plan To Effectively Implement
Air Force Orbital Safety Policy Dang, Moran, Jackson
Weapons Safety (Southwick)
Security Critical Software — the Necessary Frontline Defense of
System Safety in Today’s Dangerous Nuclear Age Alborzi
Hazard Identification (Oliver)
9:00 - 9:50
Tailoring of MIL-STD-882E for Space Systems Acquisitions McDougall,
Jackson
Origin of Test Requirements and Passing Criteria for the
Qualification of Pyrotechnics Adams, Tomasello
Certification of Safety Products in Compliance with Directives
Using the CER and CoVeR Methods Myklebust
10:30 - 11:20
Cryogenic Safety for Space Launch Vehicles During Ground Operations
Iyengar
A Safety Analysis Approach to Science & Technology and Quick
Reaction Capability Weapon System Projects Pham, Sivapragasam
Design With Safety Eye Erdem, Aydin
Awards Luncheon, Salons A-E Menu: Ceaser Salad, Ricotta and
Manchego Torteloni, Sweet Italian Sausage, Broccolini, Artichoke,
Roasted Tomato Pesto, Butter Sauce, White Chocolate and Blood
Orange Torte 1:30 - 2:20
Aerospace Software (Beecher)
Making the Implicit Explicit: Towards an Assurance Case for DO-178C
Holloway
Public Safety II (Laabs)
Hazard/Risk Management II (Kniess)
Towards Automatic Verification of Safety Properties in AADL System
Models Björnander, Graydon, Land
2:30 - 3:20
Uncertainty and Confidence in Safety Logic Graydon
Safety in Deepwater Well Containment Operations Robins
Using Lean Six Sigma Techniques to Determine if a Process is in
Control with Respect to Error Events Allison, Jerdak
4:00 - 4:50
Initial Safety Analysis for Integration of the Unmanned Aerial
Systems into the National Airspace System Yang, Xie, Yousefi
A Taxonomic Analysis On Chinese Special Equipments “Yinhuan” in
Supervision Fan, Luo, Lu
Leading Indicators in Aviation Operations Fletcher, Dokas
Program ISSC2013
Tutorial
Conceive of Modeling On Operation Mechanism of Public Safety
Standardization Luo, Huang (6 hrs)
Panel
Committee & Group Meetings
2:30 - 3:20
4:00 - 4:50
Clarendon Dartmouth Regis 8:00 - 8:50 Workshop
Process Safety Culture Best Practices Pearlman (2 hrs)
Best Paper 1 Lessons Learned & ISSC Staff Turn-over Meeting8:50
- 9:30 Best Paper 2
10:00 - 10:40 10:50 - 11:30
20
3, 2, 1 SAFETY System safety is paramount. It impacts our products,
employees, technicians, and
maintenance personnel. And safety is no accident – it is designed
into everything we do. We are proud to sponsor this year’s
International System Safety Conference and
their mission to think outside the box when it comes to the best
processes, methods, and techniques. We’re committed to delivering
innovative ideas and solutions that
help connect, protect, and explore our universe.
www.lockheedmartin.com/ssc
© 2
Program ISSC2013
21
tUtOrials The conference organizers have an information-packed
tutorial program planned in conjunction with the 31st ISSC.
Attending tutorials, as well as other elements of the Technical
Program at the 31st ISSC, meets the requirements for Continuance of
Certification credit through the Board of Certified Safety
Professionals (BCSP). The University of Cincinnati will issue
Continuing Education Units (CEUs) for participation in the
conference tutorials. CEUs are issued on the basis of 0.1 CEU per
instructional contact hour. You must be present for at least 90% of
the tutorial to receive CEUs and a tutorial completion certificate.
Your attendance is verified via the process outlined below:
At the start of the tutorial, you’ll clearly print your name in the
attendance form exactly as you want it • to appear on the
certificate. After returning from each break during the tutorial
(morning, lunch, and/or afternoon), you’ll initial • the attendance
form. You must be present at the end of the tutorial to receive
your certificate and the CEUs. •
If there are misspellings on the CEU certificates, please mark the
corrections, give back to the instructor or leave at the
registration desk.
Monday // 08·12·13 // 8:00-11:30 // ExEtEr // tutorial 0.3
CEu
Hands-On System Safety Basics, Focused on FHA Instructors: Werner
Winkelbauer; Gabriele Schedl; Safety Management Department,
Frequentis AG, Vienna 1100, Austria An overview of a generic safety
process, best suited for small to medium sized projects, in
relation to the project lifecycle, is given. For each major project
phase the respective safety process phase, safety objectives,
necessary in- and outputs are detailed. Some state-of-the-art
analysis techniques are explained. Special emphasis is placed on
the Functional Hazard Assessment, where a practical guidance for a
Functional Failure Modes and Effects Analysis is presented.
The content of this tutorial is based on experience from an
international working company.
Objective: Basic understanding of a safety process and the
practical implementation of a Functional Failure Modes and Effects
Analysis
Monday // 08·12·13 // 8:00-11:30 // FairFiEld // tutorial 0.3
CEu
Introduction to Fault Tree Analysis Using CAFTA Software
Instructors: Jean Francois Roy, Nuclear Division/Risk & Safety
Management Group, Electric Power Research Institute, Palo Alto, CA,
USA This tutorial will introduce Fault Tree Analysis using CAFTA
Software. Attendees will be first reviewing fault tree methodology
and terminology. Construction of a fault tree model in CAFTA will
then follow a brief review of CAFTA’s components and symbol types.
In constructing the Fault Tree model, topics covered will include
projects, navigation, editing, shortcuts and how to add
probabilities. An overview of basic event probability formulas,
type codes and variables will be included, as well as printing and
quantification processes.
tuEsday // 08·13·13 // 8:00-5:00 // arlington // tutorial 0.6
CEu
A Tutorial on STPA : A New, More Powerful Hazard Analysis Technique
Instructors: Nancy G. Leveson, PhD; John Thomas, PhD; Aeronautics
and Astronautics, MIT (Massachusetts Institute of Technology),
Cambridge, MA, USA STAMP is a new accident causality model that
expands on the old models in order to handle the increased
complexity, software, and changing human roles in today’s systems.
Using STAMP as a foundation, new
22
tools have been built for hazard analysis (STPA), accident analysis
(CAST), organizational risk analysis and risk management, etc. This
tutorial will concentrate on STPA. The tutorial will start with a
brief introduction to STAMP and the systems approach to safety
engineering. The rest of the time will be devoted to learning STPA
and doing exercises. Students are encouraged to bring problems from
their own research domains so that they can try this analysis
method on something very relevant to their work.
STPA is being used successfully in most every industry. Several
groups have evaluated STPA empirically by comparing the results
with standard hazard analysis techniques. In all cases, STPA found
all the hazard scenarios found by the other methods, but also found
additional ones involving software, human errors, and unsafe
interactions among system components. In a couple cases where STPA
and the other methods were applied to a design in which an accident
had occurred (without telling the analysts), STPA was the only
method that found the real accident scenario.
By the end of the tutorial, attendees will be able to apply STPA to
a system in their field of expertise.
tuEsday // 08·13·13 // 8:00-11:30 // FairFiEld // tutorial 0.3
CEu
Assurance Cases as Means of Evidence Based Developed of Critical
Systems Instructors: George Despotou, BEng, MSc, PhD, CEng,
Department of Computer Science, University of York, York, United
Kingdom Often developers have the onus to defend a position (i.e.
make a case) about the safety of their system. This usually
involves an explanation of how the available information for a
system supports the claim that risks in a system have been
acceptably managed.
Safety cases have been used in the safety domain for a number of
years, mostly in the defence, aerospace and energy domains. Their
usefulness, as a tool to improving safety, has been appreciated by
many practitioners, and development of a safety is a requirement in
many standards. This has resulted in the core concepts of safety
cases to be transferred to other domains (e.g. automotive), and
their focus on other system attributes (e.g. security cases).
Recently the term assurance case has been introduced, which
encompasses not only safety, but other relevant critical aspects of
a system, such as security.
A case exists to communicate an argument. It is used to demonstrate
how someone can reasonably conclude that a system is acceptably
safe from the evidence available. A case is a device for
communicating ideas and information, usually to a third party (e.g.
a regulator). In order to do this convincingly, it must be as clear
as possible. Safety case definition may bear differences in
different domains, but all definitions converge to a set of
characteristics.
Development of a (safety) case is a requirement in many standards.
However, the usefulness of the safety case has been appreciated in
the industry and is used by many organisations as good practice.
The reason for this is that explicitly capturing all reasoning, and
information (about the supported position) such as assumptions and
evidence, facilitates assessing the fitness of the design to meet
its (safety) objectives. A manufacturer will design a system aiming
to achieve the required operational attributes. However what is
intended is not often what achieved. Once the reasoning of the
developers is explicitly documented as claim and argument supported
by evidence, the gap between what was intended and what achieved
becomes more apparent.
Explicitly documenting a case will contribute towards the factual
representation of the system, revealing which claims can be
supported by evidence and which, remain intention (for example,
because there is no sufficient evidence to support them). This may
not necessarily imply that the latter claims have not been
implemented, but that we are unaware about their achievement as
they are not sufficiently supported. There can be three reasons as
to why a claim is not sufficiently supported: a) there is not
sufficient evidence to warrant the claim, b) although there is
evidence, there is inadequate explanation (a problematic argument
structure) as to how the evidence supports the claim, and c) the
claim was phrased in a way that is unsupportable.
The tutorial describes the basic concepts of assurance and safety
cases (including recent OMG standards), will explain the main
challenges in developing an assurance case, their relationship to
safety standards
Program ISSC2013
(safety cases and standards serve different purpose and should be
seen as complementary), and present best practice (and
misconceptions) regarding assurance cases.
tuEsday // 08·13·13 // 8:00-11:30 // suFFolk // tutorial 0.3
CEu
Practical Generation of Safety Cases with the Help of GSN
Instructors: Andreas Gerstinger; Gabriele Schedl; Safety Management
Department, Frequentis AG, Vienna 1100, Austria This tutorial will
introduce you to the concept of safety cases. Safety cases are
structured arguments that support the claim that a system is safe
to be used for a given application in a given environment. Several
standards require the production of such safety cases as a
prerequisite for approval. The tutorial will highlight good and bad
practices when developing safety cases and will introduce you to a
notation specifically developed for the generation of safety cases,
the Goal Structuring Notation (GSN). There will be practical
examples which need to be solved by the attendees, so that hands-on
practice and experience is gained.
Detailed outline of the tutorial:
Introduction (1h): The tutorial will start with a survey of current
safety standards (IEC 61508, ISO 26262, EN 50128, DO-178C,...) and
analyse their views and requirements regarding safety cases. We
will then delve into the nature of safety cases, briefly touch
their historical origins, and clearly consider what can and what
can’t be expected from a safety case. Based on our practical
experience we will also highlight some typical bad practices when
constructing safety cases. This helps to correctly and critically
read them, and is also a helpful guideline for reviewing other
safety documentation. This part of the tutorial is largely a
presentation.
Goal Structuring Notation (45min): We will now introduce the main
elements of the Goal Structuring Notation (GSN), which is a helpful
tool to document safety cases. The presentation of the notation
will be interleaved with brief examples, exercises and questions,
so that attendees have the chance to fully understand the meaning
and purpose of the various symbols. A structured method how to
proceed when drafting safety cases will also be presented. Hence,
this part of the tutorial is much more interactive, requiring
active participation of attendees.
Case Study (45min): A realistic case study will then be handed out.
It is expected to be solved as a group work (groups of 3-5 people
are expected). The task of the groups will be to draft and present
a sound safety argument for a given claim that the system in the
case study is acceptably safe for a specific application in a given
environment. GSN shall be used as a notation for this purpose. At
the end, the groups present their solutions, and the
advantages/disadvantages of the presented solutions are discussed.
This part of the tutorial is a group work.
Concluding Remarks (30min): Finally, we will bring some concluding
remarks, consisting of hints how to avoid common errors and
fallacies in safety cases, show some examples of real-world safety
cases and a we will finish with a personal conclusion.
tuEsday // 08·13·13 // 1:30-5:00 // suFFolk // tutorial 0.3
CEu
Improving Safety Management by Using a Risk Management Policy in
Your Daily Operations Instructors: Ronald E. Fitzgerald, D.P.A.,
P.E., C.S.P., Safety Department, URS -- Umatilla Chemical Agent
Disposal Facility, Hermiston, OR, USA The focus of the tutorial is
the use of risk assessment and risk management in the
(non-technical) occupational safety and health profession. Domain
of Interest: Hazard/Risk Management or Workplace Safety.
First hour: Review the basics of the various components of risk and
types of risk assessments. Stress that the safety and health
professional needs to understand risk is more than a simple
subjective measure of severity and frequency.
24
Second hour: Demonstrate how to make risk assessment into a
powerful management tool by customizing the assessment of risk for
use in a company/ industry. Also, provide insights on how to “sell”
a risk management policy/program within a company.
Third hour: A discussion of how to use the risk management as a
tool to aid you in your daily office or program management
responsibilities; the planning, organizing, staffing, leading, and
controlling of a safety program. Embedded in the discussion is how
risk can provide a measure of the success of an occupational safety
and health program.
WEdnEsday // 08·14·13 // 8:00-11:30 // FairFiEld // tutorial 0.3
CEu
Why You Should Care About the “-Ilities”! Instructors: Alan E.
Southwick, BSEE, MME, MBA, CSP, CQE, CRE, Whole Life Engineering
Directorate, Raytheon Company, Integrated Defense Systems,
Portsmouth, RI, USA Topic addresses the interrelationships
developed from Quality, Quality Control, and Quality Engineering,
pursuing Specialty Engineering Roles and Relationships, including:
Reliability, Maintainability, Supportability, Human Factors,
Safety, and Security (Information Assurance) from an overview
perspective. The tutorial is designed to be somewhat interactive
presenting examples and questions to the audience related to the
various topics discussed, thereby engaging and providing
participants with insights to the various disciplines and how they
relate within “Specialty Engineering.”
WEdnEsday // 08·14·13 // 1:30-3:30 // dartMouth // tutorial 0.2
CEu
Integrating SAE ARP 4761 and MIL-STD-882 in a DOORS Hazard Tracking
System Instructors: Tim R. Behnke, BSEE, John Damstra, BS,
Mathematical, Sciences, and Eric D. Villhauer, BS, Aerospace, Eng,
BA, Economics, Specialty Engineering, General Atomics Aeronautical,
Poway, CA, USA The presenters share their implementation of a
hazard analysis that integrates the civil aviation approach to
safety analysis, per SAE ARP 4761, and the defense approach to
safety analysis, per MIL-STD-882E, along with their implementation
of the associated hazard tracking system in DOORS.
Introductions - Behnke - 5 mins • Need for System - Behnke - 5 mins
• Groundwork (historical) - Behnke - 10 mins • Development -
Damstra - 30 Mins •
i. Modules ii. Attributes iii. DXLs iv. Views v. Exports
Usage - Villhauer - 30 mins • Questions - All - 10 mins •
Program ISSC2013
WEdnEsday // 08·14·13 // 1:30-3:30 // ExEtEr // tutorial 0.2
CEu
Where Hard Meets SOFT: Human Factors Role in System Safety
Engineering Instructors: Fred W. Brisbois, CHCM, Safety, Sikorsky
Aircraft, International Helicopter Safety Team, Guilford, CT, USA
The gap that allows accidents to happen is sometimes where System
Safety Engineering and Human Factors don’t overlap. System Safety
Engineering processes defined in MIL-STD-882 and ARP 4761 provide a
structured approach of applying engineering practices to ensure
safety is designed into products. These practices, coupled with
robust product safety surveillance and management during the
aircraft’s service life offer opportunities to continuously raise
the standards for future designs. However, to maximize the benefits
of safety engineering, it is important to master the ‘art’ of how
and when to integrate human factor interventions into the system
design. This session will cover a generic overview of system safety
engineering, aircraft fleet safety management and lessons learned
from ‘human’ malfunctions that led to aircraft system design
changes.
WEdnEsday // 08·14·13 // 1:30-5:00 // WEllEslEy // tutorial 0.3
CEu
Using Risk Profiles for Safety Management of Large Scale Operations
Instructors: Ronald E. Fitzgerald, D.P.A., P.E., C.S.P., Safety
Department, URS -- Umatilla Chemical Agent Disposal Facility,
Hermiston, OR, USA This tutorial provides safety and health
professionals who work with large scale or multiple operations with
a methodology to evaluate and compare these operations. The
tutorial begins with a review of four types of risk which need to
be assessed (People, Product, Production, and Planet). This is
followed by a brief discussion of normalizing the risk components
of severity and probability. The heart of the tutorial is the
description of how to measure the total risk of various operations,
processes, and facilities and present the resulting risk profiles
to management. The tutorial will conclude with a brief discussion
on the validity of the methodology used. Note: This is not a
discussion on how to determine true total risk, but a simplified
method using a minimum of math. Tutorial is designed for safety and
health professionals working within a company that has multiple
processes or facilities that compete for funding to ameliorate
hazards.
thursday // 08·15·13 // 8:00-5:00 // ExEtEr // tutorial 0.6
CEu
Conceive of Modeling On Operation Mechanism of Public Safety
Standardization Instructors: Yun Luo and Yuecheng Huang, M.E.,
School of Engineering and Technology, China University of
Geosciences (Beijing), Beijing, China On the base of theories and
methods of system science and strategy-system, this paper revealed
the operation law of standardization of safety production and the
relations between all the elements, combined with the background
and current situation of public safety standardization in China. It
also built the frame of macroscopic operating mechanism and the
“456” model of work safety standardization system operation
mechanism, which borrowed the idea from execution and achievement
of work safety standardization in our country. Besides, it also
designed other six mechanism models, in order to do systematically
analysis and present optimized countermeasure, such as
comprehensive management by government, categorized supervision by
department, implementing responsibility by organization,
technological service by agency, wide participation by society,
self-disciplined prodding by entire personnel and so on. The
research provided some theoretical directions as well as approaches
for the construction and improving the operation quality of public
safety standardization.
26
Panel DisCUssiOns/fOrUms tuEsday // 08·13·13 // 8:00-11:30 //
dartMouth // opEn ForuM
Developing Global System Safety Perspectives Moderator: Robert Ward
Fletcher P.Eng.; M.Sc., PMP; PCIP, Consultant, President, Robert
Fletcher System Safety, Inc.; Ottawa, Ontario, Canada This will be
a free form discussion moderated by Bob Fletcher, SSS Director of
International Development. It is a continuation of the discussion
started during the 30th ISSC.
Robert is a system safety engineer with many years of experience.
He has performed system safety consultancy services work for
several clients around the world. He performed system safety
engineering and safety management systems training, auditing and
analysis for air traffic control and flight service system
applications. Robert has received a M.Sc. from the United States
Navy Post Graduate School, a diploma from the Aerospace Systems
School, Winnipeg, Manitoba and a Bachelor of Science degree from
the Royal Military College. He is a registered professional
engineer, a member of the Project Management Institute, and the
Critical Infrastructure Institute.
thursday // 08·15·13 // 8:00-11:30 // suFFolk // panEl
G-48 Workshop - Pressing Issues Facing System Safety Moderator:
David B. West, CSP, P.E., CHMM, Systems, Software, and Solutions
Operation, Science Applications International Corporation (SAIC),
Huntsville, AL, USA A panel of speakers (TBD) will give a series of
presentations on the most pressing issues facing the System Safety
community today.
WOrkshOPs tuEsday // 08·13·13 // 8:00-11:30 // ExEtEr //
Workshop
ISO 26262-Style Risk Assessment Presenter: Jeff J. Joyce, PhD,
Critical Systems Labs, Inc., Vancouver, BC, Canada ISO 26262 is a
functional safety standard for electronic control systems in road
vehicles which includes a novel approach to risk assessment that
overcomes the widely recognized difficulty of evaluating the
likelihood of failure in the case of software-intensive systems.
Although it was devised for use in the automotive domain, this
approach to risk assessment has been used successfully in other
technical domains that also rely on safety-critical software.
Following a brief introduction to ISO 26262, participants will
engage in a series of problem-solving, small-group exercises based
on examples taken from a variety of technical domains including
automotive, medical devices, energy and defense. The workshop will
include opportunities for discussion and comparison of sample
solutions. The workshop will also include a brief comparison of the
ISO 26262 approach to risk assessment with the notion of software
criticality in MIL STD 882E. While this workshop will be of
particular interest to system safety engineers in the automotive
industry, it is intended to be relevant to system safety engineers
across all technical domains with an interest in the assessment of
safety risk associated with complex software- intensive
systems.
Program ISSC2013
tuEsday // 08·13·13 // 1:30-5:00 // ExEtEr // Workshop
Application of System Safety Methods to Systems of Systems
Presenter: Jeff J. Joyce, PhD, Critical Systems Labs, Inc.,
Vancouver, BC, Canada; Rami Debouk, Electrical and Controls
Integration Lab, General Motors, Warren, MI, USA; Antonio Vergara,
ITER Organization, St. Paul-lez-Durance, France This workshop will
facilitate an exchange of knowledge among participants about the
application of system safety methods to Systems of Systems (SoS) –
that is, systems whose components are themselves complex systems
such that the combined behavior of these components cannot be
easily understood or explained in terms of the behaviors of the
individual components. Examples of such systems are increasingly
common across a variety of technological domains including
aerospace, defense, automotive and energy generation/distribution.
Traditional methods of system safety focused on component failure
as a source of safety risk have limited value in understanding and
managing the safety risks associated with a SoS. For example, an
unforeseen interaction between two “correct” behaviors implemented
by different components of a SoS may result in an unsafe behavior
even in the absence of a component failure. The first part of the
workshop will be a series of short presentations on SoS examples
from a diverse variety of technical domains - namely, advanced road
vehicles, high energy physics and aerospace/defense. The second
part of the workshop will be an opportunity for all participants to
address specific questions about the application of system safety
methods to SoS through dialogue and impromptu
mini-presentations.
tuEsday // 08·13·13 // 1:30-5:00 // FairFiEld // Workshop
Advancing Safety By Reducing Errors: A Fresh Approach Presenter:
Tim Autrey, B.Sc, Error Reduction and Human Performance
Enhancement, Practicing Perfection Institute, Inc., Swanzey, NH,
USA Potential hazards workers face while working in refining and
petrochemical industry can vary from minor leakage to major blasts,
release of chemical vapors, spills leading to exposure to harmful
gaseous chemicals, fires and explosions and smoke build up, causing
shelter-in-place; impacting the local community, personal injuries,
fatalities and plant damage resulting into shut downs. Considering
time pressures, dangerous nature of job, weather conditions, lack
of communication, poor/inadequate documentation, and remote working
locations, planners, locators and refiners often face combined
challenges that generate very error-likely conditions.
While unexpected releases of toxic substances do occur, the
industry is subject to vulnerabilities caused by others (such as
processes involving highly hazardous chemicals leading to the
release of flammable liquids and gases and worker stress and
fatigue) and investigations reveal that many of the major accidents
that do occur could have been prevented through greater diligence
on behalf of the respective personnel involved.
This workshop is designed to provide the participants, the
awareness that as humans, we are fallible (even the best people
make mistakes). However, this being said, as humans we also possess
the incredible power of choice. What we must do, is choose to learn
from our mistakes and take action/s to prevent their
recurrence.
Bird and Germain 1996 rightly said “What is the sense of measuring,
if the loss must occur, before you can act? That is reaction, not
control”. What we need, is a fresh approach to enhance safe work
practices. This session will instill a strong understanding of “The
Gap” in processing information and how to RESPOND rather than REACT
when posed with a stressful or threatening situation. The
participants will come to recognize the value inherent in worker
contribution to solving problems and improving safety and
efficiency.
Practicing Perfection® approach has taken the best-of-the-best
tactics and tools from the US commercial nuclear power and airline
industries, simplified them, and combined them with underlying
triggers and influencers of behavioral psychology to transform
worker behaviors pertaining to personal and process safety in
different sectors.
28
Using this innovative approach of Practicing Perfection® safe work
practices will be discussed in-depth using the four human error
barrier/defense categories and how these work together to
prevent/allow an event to occur. The participants will be
introduced to the Error Elimination Tools ™ handbook, which offer
simple tools for minimizing the potential for error at points of
team interaction and individual execution.
WEdnEsday // 08·14·13 // 1:30-3:30 // arlington // Workshop
The Evolution of the UK Defence Safety Standards John McDermid,
Professor of Software Engineering at the University of York, UK
Issue 5 of DS 00-56 is being developed and is likely to be in force
before the end of the year. The UK’s primary defence safety
standard, DS 00-56, has been in existence since mid-1990 and has
undergone a number of changes, becoming more goal oriented at issue
4 (the current standard). When issue 4 was produced, DS 00-55, the
MoD software safety standard, was discontinued. Since the
publication of DS 00-56 Issue 4 in 2007, there has been feedback on
some of the requirements, including the challenges of applying the
ALARP principle, defence contracting has changed with a move
towards the greater procurement of services and/or outsourcing
management of facilities, and increasing use of Systems of Systems
(SoS). Issue 5 of DS 00-56 is being developed to address these
issues. At the same time, there have been increasing concerns
regarding software safety and it has been decided to re-introduce
DS 00-55 at the same time, albeit in a goal-based style consistent
with DS 00-56, and also covering complex electronics. The tutorial
will present an explanation of the motivation for the changes to
the standards, the significant conceptual changes, and outline the
rest of the development process. Time will be allowed for
discussion, e.g. the relationship between DS 00-56 and other
standards, both civil and military.
WEdnEsday // 08·14·13 // 1:30-3:30 // FairFiEld // Workshop
Aircraft Fire & Explosion – How Safe Are the Friendly Skies
Albert Moussa, PhD, P.E. While commercial air travel is an
extremely safe mode of transportation, aircraft fires and
explosions can occasionally occur with catastrophic consequences.
Using examples of recent accidents and full-scale testing, Dr.
Albert Moussa will provide an overview of the main types of fires
such as those involving aircraft engine, fuel tank, cabin and cargo
areas. He will show how major accidents lead to safety
recommendations by the NTSB, stricter requirements by the FAA and
improved practices by the industry. This process takes many years
leading eventually to safer skies. Examples of safety improvements
include the use of a fire blocking layer in seats, improved
acoustic insulation, fire detection and suppression systems in
cargo bays and fuel tank inerting. The implications of replacing
Aluminum with composite materials will also be discussed. The talk
is an overview of a unique professional course that he teaches
annually on the design of aircraft systems for protection against
fire and explosion. The talk is a multi-media presentation
illustrated with colorful slides and short video clips of real
accidents and computer model outputs.
Dr. Albert Moussa has spent over forty years developing a
fundamental understanding of fire and explosion, particularly for
the aerospace/defense industry. His work has led to the development
of a number of practical solutions and quantitative models and to
the investigation of several major national and international
aircraft fire accidents. His forewarning about the vulnerability of
aircraft fuel systems before the occurrence of the TWA800 and
Concorde disasters has gained him prominence in the general media,
in both the US and Europe. He has consulted for the Air Force, Navy
and major firms such as Boeing, GE, Northrop Grumman and Parker
Hannifin, and has served on national advisory committees and on the
Editorial Board of an ASME Journal. He teaches a unique
professional design course on how to protect aircraft systems
against fire and explosion. He received his B.S. from Stanford
University and his M.S. and Sc.D. from MIT. He has published widely
including one book. He has received several honors, including the
William Littlewood Memorial Lecture Award by SAE/AIAA, Engineer of
the Year by AIAA NE Section, best papers by SAE and ASEI, AIAA
Distinguished Lecturer and several ASME citations. He is
Program ISSC2013
29
the Founder and Technical Director of BlazeTech Corp. an
engineering firm that specializes in technology and software
development in the area of energy, environment and safety.
Friday // 08·16·13 // 8:00-10:00 // ClarEndon // Workshop
Process Safety Culture Best Practices Presenter: Laurence Pearlman,
MA, Corven, Inc. and University of Illinois at Urbana Champaign,
Naperville, IL, USA The workshop explores how process safety is
more than a technical solution and involves cultural change. To
make a successful and sustainable culture change, multiple elements
need to be combined that address people, rewards, learning and
leadership. This workshop will explore best practices and give
practical advice on how to build a process safety culture. The
workshop is aimed at Oil, Chemical and other process related
work.
Introduction • Change as a Journey: Overview of Change Management •
Building a Business Case: Defining a Burning Platform • Speaking of
Process Safety: Creating a Common Language for Process Safety •
Leadership Matters: Defining the Role of Your Leadership Teams •
Effective Learning: Segmenting Your Audiences and Delivering
Relevant Learning Activities • Looking at Behaviors and Desired
Outcomes: How To Define & Drive Behaviors • The Employee Lens:
Know My Barriers & Know My Role in Keeping Them Healthy •
Measurement of Culture: What Works and What Doesn’t • Wrapping it
Up: Change as a System•
You have a lot on the line Our adaptive Safety Management and FAA
Compliance solutions won’t let you down. Adaptive SMS — The
comprehensive solution for the most
efficient implementation
Easily guides users to confidentially report useful safety
events
Responsiveness shows users they made a difference
Adaptive Systems Safety Analysis — Safety oriented system
design analysis
Don’t miss the Sikorsky Aircraft and AST Aerospace
presentation,
“Linear Integrated Safety Analysis (LISA)”
A DIVISION OF ATLANTIC SOFTWARE TECHNOLOGIES
1-732-230-2590
[email protected]
www.astaerospace.com
30
PaPer PresentatiOns Monday // 08·12·13 aM // BErklEy // hazard
analysis // Chair: BarondEs
Quantitative Aspects of Common Cause Failures and Review of
Commonly Applied Models Lucas Wind; Dr. Gabriele Schedl; Juergen
Floetzer; Safety Management Department, Frequentis AG, 1100 Vienna,
Austria Multiple failures of components due to shared causes, also
known as Common Cause Failures (CCF), comprise an important class
of failure types. These have to be taken into account in any
serious assessment of safety critical systems deploying any
redundancy concept. Whereas a qualitative assessment of CCF can be
regarded as common practice, the exact numerical impact of CCF is
usually less widely understood. Explicit representation of CCF is
quite cumbersome and usually involves complex graphical
representations within Fault Trees and RBDs. Focusing on a correct
derivation of RAM-data rather than on a comprehensive common cause
analysis, an implicit representation of CCF therefore is often
preferred but involves in-deep knowledge of underlying mathematical
models. This paper aims to enable safety experts to make a fast,
simple but effective RAM-analysis including CCF. Popular CCF-models
are reviewed together with their advantages and disadvantages based
on the long-term experience of a supplier in the context of a large
European ATM-project. The single parameter beta- factor model is
explained in detail and demonstrated to be most effective for
typical ATM-applications. Based on this model, results are given in
terms of representative figures depicting the influence of CCF on
various typical real world availability requirements.
Identification of Safety Critical System, Hardware, and Software
Requirements Using Fault Trees Wes Rainey, MSEE, Life Cycle
Engineering, General Dynamics Electric Boat, Groton, CT, USA Fault
Trees prove to be an effective tool for identifying safety critical
system, hardware, and software requirements during the Safety
Requirements Hazard Analysis (SRHA) process. This safety analysis
methodology offers significant benefits when performing the SRHA.
Fault Trees effectively communicate the safety assessment of a
safety hazard to other safety engineers, systems engineers, the
customer, and other impacted engineering disciplines in a manner
that each discipline can readily understand and evaluate for
completeness and correctness. Fault Trees also enhance the safety
engineer’s ability to assess the implications of safety mishaps and
events on safety hazards improving visibility into the relationship
between related mishaps and events, and allowing for common events
to be identified and shared between hazards. Fault Trees can then
be structured to correspond to the system, hardware and software
requirements analysis, thus providing the ability to identify
hazard mitigating safety critical requirements, design features,
and procedures early in the development process for continued
tracking and management. This paper describes significant benefits
of Fault Tree analysis when applied to an SRHA with an example
based upon a hazard caused by significant equipment damage to a
pump.
The Role of Architectural Model Checking in Conducting Preliminary
Safety Assessment Omar T. Jaradat, PhD, Student1; Patrick J.
Graydon, Postdoctoral, Research, Fellow1; Iain Bate2; (1) School Of
Innovation, Design and Engineering, Mälardalen University,
Västerås, Sweden, (2) Department of Computer Science, University of
York, York, United Kingdom Typical safety standards require
software engineers to show that a plan of safety activities—chosen
from recommended options or alternatives—meets a set of objectives.
For example, the automotive safety standard ISO 26262 recommends
formally verifying software architectures to show that they comply
with safety requirements. In this paper, we show how an existing
approach to architectural model checking could be used to conform
to ISO 26262.
The Architecture-Based Verification Technique for AADL
Specifications verifies some completeness and consistency
properties of Architectural Analysis and Design Language (AADL)
models. An engineer transforms the AADL architecture into an UPPAAL
model, generates a set of UPPAAL queries, and uses UPPAAL to check
the queries. Using the resulting evidence, we have created a
partial ISO 26262 safety
Program ISSC2013
31
case for an existing system that warns drivers of heavy vehicles
before low fuel causes loss of power and vehicle control.
In this paper, we demonstrate how this model-checking evidence
contributes to an ISO 26262 safety case. We then critically analyze
the resulting argument, recommend means of achieving complete
coverage of ISO 26262 objectives, and discuss the costs and
benefits of architectural model checking in comparison to those of
the other techniques recommended by ISO 26262.
Monday // 08·12·13 aM // ClarEndon // ground transportation //
Chair: Millin
Achieving Confidence of a Safety Critical System Product and Its
Applications Fenggang Shi, PhD, RAMS Department, Thales Canada
Transportation Solutions, Toronto, ON, Canada A safety critical
system product can be developed for multiple project applications,
such as a Communication Based Train Control (CBTC) product for
modern railway signaling systems. It is natural that different
safety critical systems in the same domain can have different
characteristics due to variances of devices and operation
environment. Such a product must be developed based on the generic
attributes of systems in the domain, and can be parameterized and
tailored to a specific system with the characteristics expected by
the customer. The key issues in development of such a product are
defining common functions in the application domain, categorizing
and generalizing devices, and designing configurable system
architecture. Thus, devices and functions can be parameterized and
tailored for a specific system of a project. Safety engineering for
such a safety critical system product and its applications faces
complexity in safety case development for demonstrating systematic
hazard analyses and management. This paper discusses Thales
experience and practice of resolving the key issues in designs and
managing complexity of safety engineering on its CBTC product and
applications. Safety confidence of CBTC systems is achieved through
four layers of safety engineering: vital computer, controller
platform, generic application, and specific application.
Failure Logic Automata for Future Oriented Safety Assessment of
Train Control System Guo Zhou, PhD, Student; Huibing Zhao,
Professor; School of Electronic and Information Engineering,
Beijing Jiaotong University, Beijing, China In the development
progress of train control system safety analysis possibly deviates
from system design. System engineers and safety engineers always
carry out their ideas in entire different ways so that when system
engineers assert their designs are completed and feasible the
safety engineers may disappointedly declare that the safety
requirements are not met. On contrary, when safety engineers expose
their manual analysis reports, FTA and FMECA etc., system engineers
may pop up and point out the inconsistency. Intuitively, there
seems like a “gap” between system engineering and safety
engineering. In this paper some comparisons amongst classic safety
assessment methods are performed first. Then a future oriented
safety assessment method is introduced to safety engineering to
automatically realize safety requirements verification with the
soaring complexity of system design. The hierarchical and
modularized methodology of failure logic modeling is illustrated
for minimal cut sets synthesis and dangerous failure rate
calculation which can be referred to prompt the safety. The
mathematic model is constructed to manifest the correctness of the
method. An instance analysis of on- board train protection system
is performed also.
Are We Ready for Driverless Cars? David B. West, CSP, P.E., CHMM,
AMCOM/AMRDEC Operation, Science Applications International
Corporation (SAIC), Huntsville, AL, USA For decades, technological
advancements have continually improved the automobile, making it
easier to drive. As we integrate features like adaptive cruise
control, GPS navigation, lane keeping, and so on, and make them
interoperable, we move ever closer to having cars that will drive
themselves to the destinations we enter into their programs. Some
experts have even predicted that in less than a generation, it will
be illegal to steer our cars ourselves! Though it may seem that
serious safety challenges constrain our movement down this path, it
may actually be the safety benefits offered by driverless cars that
propel us in this direction. Several high-profile competitions have
fostered the
32
development of driverless car technology. Some jurisdictions are
already passing legislation to pave the way for driverless cars on
public roads. With driverless cars will come major changes in legal
processes involving accidents. In many ways, the development of
driverless cars that will operate on public roadways parallels the
development of unpiloted aircraft that will fly in the national
airspace. Design standards for hardware and software in civil
aircraft (e.g., RTCA DO-254/DO-178) may serve as models for similar
qualification of driverless car hardware and software.
tuEsday // 081313 aM // BErklEy // hazard/risk ManagEMEnt // Chair:
parizo
Safety is not an Option Clifford A. Parizo, B.S., M.S., Aviation
& Product Safety, Sikorsky Aircraft Corporation, Stratford, CT,
USA; R. Brandon Daugherty, B.S., M.S., Aviation & Product
Safety, Sikorsky Aircraft Corporation, Huntsville, AL, USA This
paper presents a method for evaluating and classifying rotorcraft
safety enhancing equipment in terms of impact on safety and various
equipment implementation factors. Guidance from certifying agency
policy and system safety standard practice were considered,
resulting in a classification tool that can be used to determine if
equipment should be marketed and sold as either mandatory or
optional. The methodology developed may have applications for other
products and industries.
National Aerospace Standard 411 Update Timothy Sheehan, CIH, CSP,
PE, Raytheon Global Substances Program, Raytheon, Portsmouth, RI,
USA This paper describes the effort to review and update National
Aerospace Standard 411 (“NAS 411”), commonly used within defense as
a framework to conduct Hazardous Material Management Programs
(HMMP) intended to reduce hazardous material risks in the
government procurement of military systems. The scope of the effort
includes both a review of the standard and the introduction of
several key changes, including the expansion of the scope to
non-military procurements and service contracts. Included in the
effort is the task of developing a standardized military Hazardous
Materials Target List (HMTL) that can be used as a starting point
for military HMMP hazardous material (HAZMAT) target lists. The
development of the common HMTL addresses the need to increase
standardization of HMMP lists across defense programs that use NAS
411 and/ or MIL-STD 882E Task 108 to conduct their HMMPs. There is
no current standard approach now for developing these lists; as a
result there are numerous different materials identified for
restrictions and reporting requirements. The current situation
often does not support (or reflect) the hazmat risk management
goals of the DoD, the military services or the contractors.
Linear Integrated Safety Analyses (LISA) Michael T. Grant, Aviation
& Product Safety, Sikorsky Aircraft Corp., Stratford, CT, USA;
Samad Muhammad, Atlantic Software Technologies, Inc., New York, NY,
USA This paper describes the Linear Integrated Safety Analyses
(LISA) process developed by the Sikorsky Aircraft Corporation
(Sikorsky). The LISA architecture is designed to encompass all
aspects of safety risk management for aircraft development
programs. It is linear in that each assessment is repeated at the
aircraft, system and subsystem levels in sequence and it is
integrated such that all analyses are connected and fully traceable
to requirements. Sikorsky has partnered with Atlantic Software
Technologies (AST) to develop a web-based LISA application. The end
product will be a fully integrated system safety process that is
comprehensive, repeatable and traceable.
tuEsday // 081313 aM // ClarEndon // WorkspaCE saFEty // Chair:
kondrECk
Thermal Protection and Thermal Comfort: An Evaluation of the
Fabrics Used in Chef ’s Uniforms Against Thermal Hazards in the
Kitchen Han Zhang, M.Sc., Candidate; Rachel McQueen, M.S., PhD;
Jane Batcheller, PhD, Human Ecology, University of Alberta,
Edmonton, Alberta, Canada Burn injuries in kitchens are prevalent
as well chefs are exposed to high heat and humidity. Limited
Program ISSC2013
33
research has been performed on safety issues related to chef ’s
uniforms regarding thermal protective performance towards common
kitchen thermal hazards (i.e., flames, hot liquids, steam and hot
surfaces) and the thermal comfort within commercial kitchens. The
purpose of this research was to characterize the thermal protective
performance properties of textiles used in chef ’s uniforms in
order to understand how protective they are against all these
thermal hazards in such environment. Selected thermal performance
tests (i.e., flammability and ease of ignition, hot water and oil
splash and steam testing under low pressure, and hot surface
contact tests) were applied to predict the time to second-degree
burn. Different fabric layers combinations (e.g.,
impermeable/semipermeable apron and two or more layers of cotton
fabrics) were applied to determine the most effective way to wear
chef ’s uniforms. In addition, thermal and water vapour resistance
were compared among different fabric systems in term of thermal
comfort. Based on the obtained data from bench scale tests,
recommendations were made to improve the thermal protection and
thermal comfort of fabrics used in chef ’s uniforms and the safety
within commercial kitchens.
A Roadmap for Future Noise Control in Acquisition: Acoustical
Engineering Controls and Estimated Return on Investment for DOD
Selected High Noise Sources Ray Fischer1; Kurt Yankaskas, BS2;
Chris Page1; (1) Noise Control Engineering, Inc., Billerica, MA,
USA; (2) Warfighter Performance Department, Office of Naval
Research, Arlington, VA, USA Noise remains the most prevalent
occupational hazard associated with defense systems and operations
critical to their sustainment. Concurrently, acquisition programs
been inconsistent in application of control measures and many new
systems are noisier than their legacy predecessors. Common
impediments to improved control include relative lack of emphasis
on risk management of noise; lack of widespread technical knowledge
regarding the feasibility of noise control; and misunderstanding of
potential return on investment from noise controls. The Defense
Safety Oversight Council’s Acquisition and Technology Task Force
sponsored a project to identify common noise sources affecting
multiple defense systems that were amendable to control measures
that could be implemented using existing
34
technologies at an affordable cost. A system engineering risk
management process was applied to review key noise sources in DOD;
identify nine of the more common sources amendable to control
technologies and describe common control measures for these
processes. An affordable containment (acoustic enclosure)
technology was also evaluated and described. Estimates were made of
exposed populations, the range of their occupational exposures and
potential risk and fiscal cost of hearing loss. Cost-benefit
analyses were applied to evaluate the return on investment from
available control measures
System Safety Design for Safe Operation of Radars Ronald J. Bartos,
PE, CSP, Whole Life Engineering, Raytheon, Sudbury, MA, USA Safe
operation and maintenance of radars depends upon effective system
safety and software safety analyses of radar designs. These
analyses include identification of the hazards involved in
operating and maintaining radars, and the safety requirements that
are necessary to mitigate these hazards. This paper familiarizes
the reader with the system safety design requirements that are
implemented in the controls of these systems in order to manage the
potential safety risks inherent in radars. The safety features are
contrasted among different types of radars. The differences in the
types of safety features among these systems are highlighted and
factors for these differences are presented. The radar’s mission,
location, system architecture, conceptual design, and requirements
allocation between hardware and software need to be understood in
order to implement an effective safety program.
tuEsday // 081313 pM // BErklEy // soFtWarE EnginEEring // Chair:
Mikula
Dependability Techniques Applied to Space Software - A Research
Project Report Carlos Henrique Netto Lahoz, Dr., Eng., Electronic
Division, Institute of Aeronautics and Space (IAE), São José dos
Campos (SP), Brazil; Martha Adriana Dias Abdala, M., S., Electronic
Division, Institute of Aeronautics and Space IAE, Sao Jose Campos,
Brazil This work reports some results of a research project
performed at Institute of Aeronautics and Space IAE/ Brazil using
dependability techniques applied to space computer system. Hazard
analysis techniques such as Software FTA and Software FMECA were
used in an integrated manner, and more recently the
System-Theoretic Process Analysis-STPA has been studied. This
research is part of the Verification and Validation (V&V)
efforts to increase software dependability capability in software
projects at IAE.
The feasibility of such approach was conducted on system software
specification and applied to a case study based on the Brazilian
Launcher (VLS). The main goal is to identify possible failure
causes and obtain compensating provisions that lead to inclusion of
new functional and non-functional system software.
The techniques are adjusted and used in combination to identify
common causes of software failures, its criticality, performance
problems, temporal misleading and hazards arising mainly from
dysfunctional interactions between components. The SFTA analysis
produced 82 basic events and the SFMECA 34 analyses from sequence
of flight and control events. The STPA is being applied to one of
the case study scenarios in order to evaluate possible additional
information about how the behavioural safety constraints can be
violated.
The Principles of Software Safety Assurance Richard Hawkins, PhD;
Ibrahim Habli, PhD; Tim Kelly, PhD; Department of Computer Science,
University of York, York, United Kingdom We present common
principles of software safety assurance that can be observed from
software safety standards and best practice. These principles are
constant across domains and across projects, and can be regarded as
the immutable core of any software safety justification. The
principles also help maintain understanding of the ‘big picture’ of
software safety issues whilst examining and negotiating the detail
of individual standards, and provide a reference model for
cross-sector certification.
Program ISSC2013
35
Formal Modelling in the Development of Dependable Systems Elena
Troubitsyna, PhD, It, Abo Akademi University, Turku, Finland
Nowadays we tend to place increasing reliance on computer-based
systems and software which they are running. The degree of reliance
that we can justifiably place on a system is expressed by the
notion of dependability. However, the analysis of recent
software-caused accidents has shown that the current development
process is inadequate for achieving high degree of dependability.
While a number of existing methods and tools address certain
aspects of dependable systems development, there is still a lack of
powerful dependability-explicit techniques for developing software
for complex systems.
It is widely recognized that complexity poses a major threat to
dependability. Complexity makes testing of software to the required
degree of dependability infeasible and hence the emphasis should be
put on the development process, which is aimed at producing fault
free software. Moreover, the system environment has a direct impact
on its dependability and hence systems approach should be
applied.
In the paper we discuss advances in creating a formal
dependability-explicit development process, demonstrate an approach
to integrating formal development with safety analysis and discuss
the role of formal models in building safety cases.
tuEsday // 081313 pM // ClarEndon // aErospaCE saFEty // Chair:
kraEMEr
Systems-Based Approach to Flight Safety Management in Airlines Hong
Chi, PhD; Baoguang Xu, PhD; Mingliang Qi, PhD; Xueyan Shao, PhD;
Institute of Policy and Management, Chinese Academy of Sciences,
Beijing, China Safety risk management is one key component of
ICAO’s safety management system (SMS). The Eleventh Five-Year Plan
of China Civil Aviation also requires the establishment of SMS.
From 2006, we work with one of China’s 3 big airlines, taking part
in its construction of SMS. We find that safety risks have their
own features in different airline’s departments and divide safety
risks into two categories: one is caused by factors, such as
quality of pilots, reliability of airplanes, and the other is
caused by misprocessing through operational processes, for example,
a misprocessing in data entry during dispatching may lead to
insufficient fuel, and then serious outcomes. A reasonable risk
assessment can be obtained only by systematic mechanism analysis,
and other analytical approaches need to be studied besides risk
matrix. Based on this, effective risk mitigation can be implemented
in airlines. We develop a closed loop to support airline’s flight
safety management, named “Describing-Assessing-Diagnosing
-Improving- Tracking”. Specific details will be discussed in this
paper.
Use of Master Minimum Equipment List (MMEL) to Ensure Safe Dispatch
Burak Durmaz, M.Sc., Eng, Product Assurance Department, Space
Systems Group, Turkish Aerospace Industries, Inc. (TAI), Ankara,
Turkey Even if the new generation aircrafts have rugged designs
which are maximizing reliability, exposure to failures during
operation is still indispensable. With a pure safety approach, one
can lead to the classical result: “the safest aircraft is the one
in hangar”. Vice versa, allowing dispatch without ensuring certain
level of safety can lead to catastr