Presentation is loading. Please wait.

Presentation is loading. Please wait.

The “ANSI Process” for System Safety Assurance

Published byEmmanuel Munoz Modified over 10 years ago

Similar presentations

Presentation on theme: "The “ANSI Process” for System Safety Assurance"— Presentation transcript:

1 The “ANSI Process” for System Safety Assurance
Presented at the Safety Case Workshop Huntsville, AL; January 14th, 2014 David B. West, CSP, P.E., CHMM, Fellow NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY © SAIC. All rights reserved.

2 What do we mean by the “ANSI Process”?
The publishing of best practices in ANSI/GEIA-STD was done by a working group of the SAE International G-48 System Safety Committee Best practices are developed and standardized so that the community of practitioners can advance the state-of-the-art The best practices documented in ANSI/GEIA-STD include: Designing a System Safety Program around 5 basic elements Using a modernized risk assessment matrix Describing hazards in terms of their Source, Mechanism, and Outcome Giving consideration to the concept of Total System Risk This slide is animated the way it is because the presenter will start with the “bottom line” (what we mean by the ANSI process), then back away one step at a time to present the concepts leading up to it. Then, all bullets reappear to show the overall order they will be presented – the becomes the Outline of the Presentation. In this workshop, the “ANSI Process” refers to System Safety processes and methodologies outlined in ANSI/GEIA-STD , “Standard Best Practices for System Safety Program Development and Execution”

3 Outline of Presentation
Brief background on the G-48 System Safety Committee How standardizing best practices can drive advancements in the state-of-the-art The G-48 Committee’s development of ANSI/GEIA-STD The 5 basic elements of an effective system safety program, as presented in ANSI/GEIA-STD Improvements, covered in ANSI/GEIA-STD , to the traditional risk assessment matrix The source-mechanism-outcome model for describing hazards Risk summation

4 Overview of the G-48 System Safety Committee
Established in 1966 by the Electronics Industries Association (EIA) System Safety experts from industry, government, military Advisory body to U.S. Govt. on System Safety issues and standards – e.g., MIL-STD-882 Develops/seeks consensus on System Safety methodologies Three meetings per year Parent organizations after EIA: GEIA ITAA TechAmerica SAE International (July 2013) Mission Statement: To promote the development of safe systems, products, and processes: the G-48 Committee compiles, develops, improves and publishes best practices in the discipline of System Safety.

5 Overview of the G-48 System Safety Committee (Cont.)

6 Overview of the G-48 System Safety Committee (Cont.)
G-48 Meeting No. 133 – Huntsville, AL – January 2013

7 How standardizing best practices can drive advancements in the state-of-the-art
A key motivating factor in developing ANSI/GEIA-STD was the desire to make improvements in the System Safety state-of-the-art. The next five charts graphically present a notional and non-quantitative picture of how improvements in the practice of any human endeavor can be actively brought about through the standardization of best practices. This approach for bringing about improvements has been successfully followed in several other fields, including: The medical profession Steam boiler design and manufacturing Fire protection in building design The automotive industry These next five charts charts can be presented fairly rapidly.

8 Variation of Practice in a Typical Discipline
Frequency of Practice Worse Better Measure of “Goodness” (Proficiency, Effectiveness, Accuracy, Value, etc.)

9 Standardization Option 1: Define and Document Current Practice
Good news: Recognition of full spectrum of current practices Bad news: No improvement; practice stagnates Frequency of Practice Worse Better Measure of “Goodness” (Proficiency, Effectiveness, Accuracy, Value, etc.)

10 (Proficiency, Effectiveness, Accuracy, Value, etc.)
Standardization Option 2 (Good): Option 1 + Identify Central Tendency & Gradations Good news: Substandard practices req’d to improve Bad news: No improvement for most of the spectrum; practice stagnates Minimally Acceptable Frequency of Practice Consensus Exemplary, or State-of-the-Art Sub-standard Cutting Edge Worse Better Measure of “Goodness” (Proficiency, Effectiveness, Accuracy, Value, etc.)

11 Standardization Option 3 (Better): Option 2 + Decrease Variation
Good news: These are pressured to improve… Bad news: …but these might as well “slack off” Frequency of Practice Consensus Worse Better Measure of “Goodness” (Proficiency, Effectiveness, Accuracy, Value, etc.)

12 Standardization Option 4 (Best): Option 3 + Improve Mean Practice
Good news: Overall spectrum of practice improves More good news: No sacrifice of gains at the top of the spectrum Frequency of Practice Worse Better Measure of “Goodness” (Proficiency, Effectiveness, Accuracy, Value, etc.)

13 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009
Background: Acquisition Reform and MIL-STD-882D Identified Opportunities for Improving System Safety Practice The G-48 Committee’s Draft of MIL-STD-882E “De-militarizing” the Draft 882E to Form an Industry Standard Revision A of ANSI/GEIA-STD

14 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009
Background: Acquisition Reform and MIL-STD-882D Acquisition Reform efforts by the U.S. DOD in the late 1990’s resulted in eliminating many military standards MIL-STD-882 was preserved by making Revision D (Feb 2000) much less prescriptive then it had been in previous revisions (~30 pages, no S.S. tasks, guidance only) G-48 Committee received much feedback from that industry, in general, did not like MIL-STD-882D Committee agreed that: It was time to consider the preparing a revision of MIL-STD-882 A new revision of MIL-STD-882 provided an opportunity for improving standard practices

15 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
Identified Opportunities for Improving System Safety Practice No universal understanding as to what basic elements are included in a successful System Safety Program Risk assessment matrix not laid out in Cartesian coordinates (which would have risk increasing up and to the right) Disproportionately scaled risk assessment matrix No quantitative bounds for hazard probability categories; mixed probability and frequency terms No provision for taking hazard exposure interval into account Using approach that if hazard risks – taken individually – are acceptable, then system risk is acceptable (regardless of number or risk level of individual hazards); i.e., no assessment of total system risk Inconsistent and/or incomplete methods for describing hazards These shortcomings were addressed in the System Safety best practices documented in ANSI/GEIA-STD

16 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
The G-48 Committee’s Draft of MIL-STD-882E In late summer 2004, a preliminary Draft 1 of 882E was prepared by Chuck Dorney, a longtime G-48 participant, and distributed to the G-48 Committee for review – numerous comments for improvement in late 2004 and early 2005 All ideas for improvements presented to G-48 Committee in January 2005 G-48 Action Item was to “produce a strawman Draft MIL-STD-882E, ‘adding discipline to our discipline’” An ad hoc working group was formed from several Huntsville-based organizations: APT Research, U.S. Army Aviation & Missile Command, SAIC

17 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)

18 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
The G-48 Committee’s Draft of MIL-STD-882E (Cont.) Throughout 2005 and into early 2006, the G-48’s 882E working group held several meetings to incorporate recommendations for improvement Primary Focus: Simplifying Work Elements and Process Flow Modernizing the Risk Assessment Matrix Introducing Risk Summation

19 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
The G-48 Committee’s Draft of MIL-STD-882E (Cont.) February 2006: G-48’s Final Draft MIL-STD-882E submitted for review and approval through U.S. DOD standardization process Approved by nearly every DOD standardization member that reviewed it Key non-concurrence by DOD’s Environment, Safety, and Occupation Health (ESOH) Integrated Process Team (IPT); ESOH IPT took control G-48 Committee did not want to lose all the improvements that we worked so hard to incorporate. So…

20 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
“De-militarizing” the Draft 882E to Form an Industry Standard After the key non-concurrences derailed the G-48's Draft 882E, the Committee embarked on a new effort to rewrite the document as an industry (non-military) best practices standard. A 3-person team performed a thorough scrub of the document to remove all military-specific terminology, weapon system references, etc. Result was the first real draft of what would become GEIA-STD-0010 Additional Improvements: Emphasis on “Worst Case Risk” to replace “Most Reasonable Credible Mishap” Added “Engineered Safety Features” (ESF) to System Safety order of precedence Added guidance to describe hazards in terms of Source – Mechanism – Outcome (SMO)

21 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
“De-militarizing” the Draft 882E to Form an Industry Standard (Cont.) GEIA-STD-0010 published in October 2008 Approved by ANSI in February 2009 and re-published as ANSI/GEIA-STD

22 The G-48 Committee’s Development of ANSI/GEIA-STD-0010-2009 (Cont.)
Revision A of ANSI/GEIA-STD Feedback received from industry after the original version of GEIA-STD-0010 was released indicated that the standard needed something analogous to the DOD’s Data Item Descriptions, or DIDs In 2011, an effort was begun to develop Task Data Descriptions (TDDs), where appropriate, for tasks from Appendix B of GEIA-STD-0010 Approach: Compare tasks from MIL-STD-882C to new tasks in GEIA-STD-0010 Adapt existing DIDs referenced from 882C to become new TDDs for corresponding tasks in GEIA-STD-0010 Develop new TDDs where necessary Purpose of Revision A was stated as: …provide Task Data Descriptions (TDDs) for System Safety Tasks in Annex (sic) B of the Standard. TDDs are analogous to Data Item Descriptions (DIDs) found in military standards. The TDDs will be placed in a new appendix (Appendix C). This revision will also incorporate numerous editorial corrections to the current version of the standard.

23 The Five Basic Elements of an Effective System Safety Program
Simplifying Work Elements and Process Flow Modernizing the Risk Assessment Matrix Introducing Risk Summation 23

24 The Five Basic Elements of an Effective System Safety Program
(Continued) Credit: From analysis of various risk management processes and presentation developed by APT Research, Huntsville, AL. 24

25 The Five Basic Elements of an Effective System Safety Program
(Continued) The Eight Program Elements outlined in MIL-STD-882D and earlier versions were combined and simplified into five, to provide a more concise representation of current consensus practices. Documentation of the system safety approach Identification of hazards Assessment of mishap risk Identification of mishap risk mitigation measures Reduction of mishap risk to an acceptable level Verification of mishap reduction Review and acceptance of residual mishap risk by the appropriate authority Tracking hazards and residual mishap risk Program Initiation Hazard Identification and Tracking Risk Assessment Risk Reduction Risk Acceptance I – A – R - A 25

26 The Five Basic Elements of an Effective System Safety Program
(Continued) 26

27 Improvements to the Traditional Risk Assessment Matrix
Matrix from MIL-STD-882D Axes converted to logarithmic scales Note: Highest risk at upper-left Huge variation in span of risk covered by different cells

28 A “Pop Quiz” Identify as many ways as possible that the risk matrix at right could be improved - Flip vertical axis to have highest risk at upper-right - Do not mix probability and frequency terms - Provide quantitative bounds for likelihood and consequence scales - Consider changing 4C, 3D, and 2E to High, or Yellow, Risk (Bonus question: Why?) Good attribute: Numbering of consequence categories

29 Hazard Frequency (Mishaps per <exposure interval>)
Improvements to the Traditional Risk Assessment Matrix Designed Out I Frequent A Somewhat B Occasional C Intermittent D Hazard Frequency (Mishaps per <exposure interval>) 1 10 Infrequent E 0.01 0.1 Very F 0.001 Extremely G 0.0001 High Serious Near Zero H Critical 3 Hazard Severity Catastrophic 4 Marginal 2 Negligible 1 $2M $200K $20K Catastrophic 5 $20M Catastrophic 6 $200M Catastrophic 7 $2B $2K 1 Fatal 10 Fatal 100 Fatal 1K Fatal Low de minimus Medium Typical 4x5 Matrix X “Minimizability” In the area of risk matrix modernization, many recent advances in the state-of-the-art have occurred or are occurring. The notional risk matrix depicted on this slide illustrates many such advances. Cartesian orientation. Engineers and technical specialists are accustomed to seeing plots and graphs having values on each of the orthogonal scales increase upward and to the right. Thus, for risk matrices, the region of the matrix corresponding to the highest risk should be at the upper-right, as shown here. Equally proportioned, logarithmic scales. Logarithmic scales ensure that iso-risk lines plotted in “risk space” are straight diagonals. Equal proportionment of numerical upper and lower bounds of cells ensures that the range of risk represented by each cell is equivalent to the range represented by any other cell of the matrix. Earlier matrices in popular use had some cells with a possible variation in risk (across opposite diagonal corners of the cell) equal to 6 orders of magnitude, while other cells on the same matrix represented a maximum variation of only 1.3 orders of magnitude. Risk levels assigned to cells based on lines of equal risk. Risk matrices are traditionally divided into regions designated as having certain risk levels (high, serious, medium, etc.). On this matrix, each such region is shaded a different color. Dividing regions along lines of equal risk (straight diagonals, as pointed out under #2 above) avoids the previously common situation where a cell from one region could represent the same magnitude of risk as a cell from a different region. Extending “low” risk region to the row of the matrix with highest severity. Frequently, hazards involving a maximum severity outcome are identified. Mitigating measures will often lower only the frequency of experiencing the postulated mishap (not its severity). Earlier matrices without this attribute meant that once a maximum severity hazard was identified, no matter how low the probability (and therefore, the risk) could be driven, it would still have to be managed through risk decisions or acceptance at other than the lowest authority level. Including a column for hazards whose risk has been eliminated. Column “I” of this matrix illustrates this attribute. Appropriate maximum boundaries for the entire matrix. The “typical” 4x5 matrix depicted with the bold dashed line on this slide is obsolete for many high-dollar- value (not to mention high consequence, in terms of potential fatalities) systems of today. Assigning severity labels in ascending order of severity. The highest severity category (“Catastrophic”) has traditionally been assigned the code of “1” (or “I”). This would be problematic when new, higher severity categories need to be added in the future (see #6 above). Reversing the traditional order, to assign the lowest severity category (“Negligible”) the code of “1,” alleviates this problem; it is not likely that categories of lower severity would need to be added in the future. Calibrating the matrix to an appropriate exposure interval. Some typical exposure intervals are 105 flight-hours, miles driven, and missions flown. This calibration, which is too often neglected, allows risks associated with entirely different hazards to be compared. Including a “de minimus” region. From the Latin de minimis non curat lex, meaning “The law does not concern itself with trifles,” the de minimus region is for hazards whose risk is so low that they don’t need to be formally tracked, though risk reduction measures could still be applied if few resources are required. Adapted from Fig. 11 of “A Common Mishap Risk Assessment Matrix for U.S. DoD Aircraft Systems,” D. Swallom, 23rd ISSC, 2005. 29

30 The Source-Mechanism-Outcome Model for Hazard Descriptions
Previous definitions of “Hazard” did not always, or consistently, require enough information This model requires a hazard to be described in terms of its: SOURCE (the physical presence – situation, configuration, material, items, their characteristics, proximity and/or potential for interface, energy, etc. – that exists prior to, and enables, the initiation of an mishap sequence) MECHANISM (the complete sequence of events – actions, reactions, interactions, etc. – from initiation of the mishap, through to stable end state) OUTCOME (the end result of the subject accident sequence, specified in terms of the harm that would come to an asset of value; if a range of outcome severities was possible, it is understood that the outcome stated for the described hazard is that which, when paired with the probability of its occurrence, yields the highest risk, or probability-severity combination) Describing a hazard with this model prompts the analyst to identify ways in which: The SOURCE can be eliminated, isolated, or otherwise protected The MECHANISM can be interrupted if it should start The OUTCOME can be mitigated 30

31 Source Mechanism Outcome
The Source-Mechanism-Outcome Model for Hazard Descriptions (Continued) Source Mechanism Outcome 31

32 The Source-Mechanism-Outcome Model for Hazard Descriptions
(Continued) A Practical Exercise Improve upon the following hazard descriptions by re-stating them in terms of a SOURCE, MECHANISM, and OUTCOME (be creative and invent the context) Slippery spot on walkway Extremely hot surface in microgravity payload canister Pipe carrying oil in the space over narrow walkway (SOURCE) develops a leak; leaked oil accumulates on walkway; person using walkway slips on oil and falls (MECHANISM), sustaining a major injury (OUTCOME) External surface of furnace in payload canister reaches 800○F during normal operation (SOURCE). Emergency abort from orbit necessitates re-entry to atmosphere before surface of furnace can cool; flammable gases in payload bay enter canister and are ignited by hot surface, causing explosion (MECHANISM). Spacecraft disintegrates during descent, causing death of all occupants (OUTCOME). 32

33 … … ? Summation of Total Risk
Partial System Risks (r) Assessed Individually: Acceptable Level r4 r1 rn r2 r3 r1 r2 r3 r4 rn Total System Risk (R) Assessed as Σ (r1 + r2 + r3 + r4 + … + rn): Acceptable Level ? 33

34 Individual hazard risk (r)
Summation of Total Risk (Continued) Total System Risk (R) ≈ Σ (ri) i=1 n Individual hazard risk (r) r1 r2 RISK TOLERANCE r3 ... rn 34

35 QUESTIONS? Presentation Recap
The work of the TechAmerica G-48 System Safety Committee in developing and publishing ANSI/GEIA-STD How a discipline can be advanced by standardizing its best practices The 5 basic elements of an effective System Safety Program, as outlined in ANSI/GEIA-STD Attributes of a modernized risk assessment matrix The Source-Mechanism-Outcome model for describing hazards, and how its use helps in the identification of effective hazard controls The concept of Summation of Total Risk QUESTIONS? 35

Download ppt "The “ANSI Process” for System Safety Assurance"

Similar presentations

Requirements Engineering Processes – 2

Requirements Engineering Processes – 2
Chapter 7 System Models.

Chapter 7 System Models.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Medical devices: Application of risk management to medical devices

Medical devices: Application of risk management to medical devices
1 Balloting/Handling Negative Votes September 11, 2006 ASTM Training Session Bob Morgan Brynn Iwanowski.

1 Balloting/Handling Negative Votes September 11, 2006 ASTM Training Session Bob Morgan Brynn Iwanowski.
1 Balloting/Handling Negative Votes September 22 nd and 24 th, 2009 ASTM Virtual Training Session Christine DeJong Joe Koury.

1 Balloting/Handling Negative Votes September 22 nd and 24 th, 2009 ASTM Virtual Training Session Christine DeJong Joe Koury.
Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.

Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.
RECORD KEEPING Cooperative Development of Operational

RECORD KEEPING Cooperative Development of Operational
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
Objectives To introduce software project management and to describe its distinctive characteristics To discuss project planning and the planning process.

Objectives To introduce software project management and to describe its distinctive characteristics To discuss project planning and the planning process.
The Implementation Structure DG AGRI, October 2005

The Implementation Structure DG AGRI, October 2005
NPA WG : Single and multiple releases

NPA WG : Single and multiple releases
Module N° 6 – SMS regulation

Module N° 6 – SMS regulation
Module N° 7 – Introduction to SMS

Module N° 7 – Introduction to SMS
State of New Jersey Department of Health and Senior Services Patient Safety Reporting System Module 2 – New Event Entry.

State of New Jersey Department of Health and Senior Services Patient Safety Reporting System Module 2 – New Event Entry.
Program Goals, Objectives and Performance Indicators A guide for grant and program development 3/2/2014 | Illinois Criminal Justice Information Authority.

Program Goals, Objectives and Performance Indicators A guide for grant and program development 3/2/2014 | Illinois Criminal Justice Information Authority.
Using outcomes data for program improvement Kathy Hebbeler and Cornelia Taylor Early Childhood Outcome Center, SRI International.

Using outcomes data for program improvement Kathy Hebbeler and Cornelia Taylor Early Childhood Outcome Center, SRI International.
Briefing to the Select Committee on Security and Constitutional Development 11 February 2014 1.

Briefing to the Select Committee on Security and Constitutional Development 11 February
Site Safety Plans PFN ME 35B.

Site Safety Plans PFN ME 35B.

Similar presentations

Ads by Google