SYSTEM SAFETY

Using Probability for Risk Analysis

Barbara Luckett – 20 October 2009

Personal Background Naval Surface Warfare Center Dahlgren Division

(NSWCDD )“…premier research and development center that

serves as a specialty site for weapon system integration.” -- NSWCDD website

Platform System Safety Branch Department of Defense (DoD) acquisition

projectshttp://www.austal.com/index.cfm?objectID=6B42CC6

2-65BF-EBC1-2E3E308BACC92365

System Safety Terms and Concepts System – “a composite, at any level of

complexity, of personnel, procedures, materials, tools, equipment, facilities, and software… used together in the intended operational or support environment to perform a given task or achieve a specific purpose.” – MIL-STD 882C

Safety – “freedom from those conditions that can cause death, injury, occupational illness, or damage to or loss of equipment or property, or damage to the environment.” – MIL-STD 882C

What is System Safety? “The application of engineering and

management principles, criteria, and techniques to optimize all aspects of safety within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle.” – MIL-STD 882C

“For almost any system, product, or service, the most effective means of limiting product liability and accident risks is to implement an organized system safety function beginning in the conceptual design phase, and continuing through to its development, fabrication, testing, production, use, and ultimate disposal.” – System Safety Society website

System Safety Terms and Concepts Hazard – “any real or potential condition that

can cause death, injury, occupational illness; or damage to or loss of equipment or property; or damage to the environment.” – MIL-STD 882C

Mishap – “an unplanned event or series of events resulting in death, injury, occupational illness; or damage to or loss of equipment or property; or damage to the environment.” – MIL-STD 882C

Effect – “the result of a mishap (ie: death, injury, occupational illness; or damage to or loss of equipment or property; or damage to the environment).” – MIL-STD 882C

Mishap SeverityDescriptio

nCategor

yEnvironmental, Safety, and Health Result

CriteriaCatastrophi

c1 Could result in: death, permanent total disability;

system loss, loss exceeding $1M; or irreversible severe environmental damage that violates law or

regulationCritical 2 Could result in: permanent partial disability,

injuries, or occupational illness that may result in hospitalization of at least three personnel; major

system damage, loss exceeding $200K but less than $1M; or reversible environmental damage causing a

violation of law or regulationMarginal 3 Could result in: injury or occupational illness

resulting in one or more lost workdays; minor system damage, loss exceeding $10K but less than $200K; or mitigable environmental damage without

violation of law or regulation where restoration activities can be accomplished

Negligible 4 Could result in: injury or illness not resulting in a lost work day; insignificant system damage, loss exceeding $2K but less than $10K; or minimal

environmental damage not violating law or regulation

Mishap ProbabilityLeve

lDescriptio

nItem Criteria Fleet Criteria

A Frequent Likely to occur often in the life of an item, with a probability of

occurrence greater than 10-1

Continuously experienced

B Probable Will occur several times in the life of an item, with a probability of

occurrence less than 10-1 but greater than 10-2 in that life

Will occur frequently

C Occasional Likely to occur some time in the life of an item, with a probability of

occurrence less than 10-2 but greater than 10-3 in that life

Will occur several times

D Remote Unlikely but possible to occur in the life of an item, with a probability of

occurrence less than 10-3 but greater than 10-6 in that life

Unlikely but can be reasonably be

expected to occur

E Improbable So unlikely, it can be assumed occurrence may not be experienced, with a probability of occurrence less

than 10-6

Unlikely to occur but possible

Mishap Risk Index (MRI)

Mishap Probability:

Mishap Severity Categories:1:

Catastrophic2: Critical 3:

Marginal4:

NegligibleA: Frequent HIGH HIGH SERIOUS MEDIUMB: Probable HIGH HIGH SERIOUS MEDIUM

C: Occasional

HIGH SERIOUS MEDIUM LOW

D: Remote SERIOUS MEDIUM MEDIUM LOWE:

ImprobableMEDIUM MEDIUM MEDIUM LOWRisk

LevelSuggested Criteria Acceptance Authority

HIGH Unacceptable Service Acquisition Executive

SERIOUS Undesirable Program Executive Officer

MEDIUM Acceptable with review

Program Manager

LOW Acceptable without review

Program Manager

How do we get these values? Severity values are obtained by

brainstorming “worst credible” mishaps in each of three categories:1. Personnel injury/death2. Damage to system equipment3. Environmental damage

Probability values are a little more technical…

Probability Terms and Concepts

“The probability of any outcome of a random phenomenon is the proportion of times the outcome would occur in a very long series of repetitions.” - COMAP

“The sample space S of a random phenomenon is the set of all possible outcomes” - COMAP

“An event is any outcome or set of outcomes of a random phenomenon… An event is a subset of the sample space.” - COMAP

-- COMAP text, 7th edition, pages 289-299

Probability Rules1. 0 ≤ P(A) ≤ 12. P(S) = 13. P(Ac) = 1 – P(A)4. P(A or B) = P(A) + P(B) – P(A and

B) 5. P(A and B) = P(A) x P(B)

Methods of Obtaining Probability Values Fault Tree Analysis Historical Mishap Data Given Information Standard Calculations

Fault Tree Analysis (FTA) Originally developed by Bell Telephone

Laboratories in 1962 for the U.S. Air Force.Used to analyze probabilities of inadvertent

launch of Minuteman missiles Technique was expanded and improved

upon by Boeing Company Fault Trees are now one of the most widely

used methods in system reliability and failure probability analysis

Fault Tree Analysis (FTA) A Fault Tree is a top-down structured graphical

representation of the interaction of failures of events within a system Basic events (hazards and their causal factors) are at the

bottom of the fault tree and are linked via logic symbols (known as gates) to a top event (mishap).

Events in a Fault Tree are continually expanded until sub-events are created for which you can assign a probability.

We can use known probability values for the basic events as well as knowledge of logic gates and boolean logic to calculate the probability of the mishap occurring.

Review of Logic Gates for FTA

AND OR XOR NOT

NAND NOR XNOR

A B A and B

A or B

A xor B

not A A nand B

A nor B

A xnor B

0 0 0 0 0 1 1 1 10 1 0 1 1 1 1 0 01 0 0 1 1 0 1 0 01 1 1 1 0 0 0 0 1

AND Gate Logic

All on-site power fails iff Generator #1 fails and Generator #2 fails and Generator #3 fails

A = B and C and D P(A) = P(B) x P(C) x P(D)

Generator #1 fails

B

All on-site power failed

A

Generator #2 fails

C

Generator #3 fails

D

OR Gate Logic

Elevator door ‘closed’ failed iff hardware failure or human error or software failure

A = B or C or D P(A) = P(B) + P(C) + P(D) – P(B)P(C) –

P(B)P(D) - P(C)P(D) + P(B)P(C)P(D)

Hardware failure

B

Elevator door ‘closed’ failed

A

Human ErrorC

Software failureD

FTA Methodology Generally involves five steps:

1. Define the undesired top event (mishap)2. Obtain an understanding of the system3. Construct the fault tree○ Deductively define all potential failure

paths4. Evaluate the probability of the top event5. Analyze output and determine what is

required to mitigate the top event

1. Define the undesired top event (mishap)○ Fire Protection Systems Fail

2. Obtain an understanding of the system○ Primary smoke detection system with secondary heat

detection system○ AFFF (Aqueous film-forming foam) fire suppression system

3. Construct the fault tree○ Deductively define all potential failure paths

Fire Protection Systems Fail

Fire detection system fails

Fire suppression system fails

Smoke detection

system failsHeat detection

system failsBlocked nozzles

Pump fails

Historical Mishap Data Using probability of an event occurring in the past to predict

probability of the event occurring in the future EX) If we have a fleet of 5 ships (each with 6 freight

elevators onboard) that have been in operation for 20 years (each elevator used approx. 35 hours/year), with 3 injuries caused by elevator malfunctions:

The probability of a mishap can now be determined by dividing the number of times a mishap has occurred by the total operational hours

P(mishap) = # of mishaps / total hours = 3/21000 = 1.42857 x 10-4

This falls into the REMOTE severity category

Operational Hours per Year

(per ship)

Total Operational

Time in years

Total Operational

Hours210 100 21000

Given Information:Hardware Components Often, probability of failure for a system’s hardware components may be

available EX) Consider a system with an operational function that is dependent on

all four of the individual components working (ie: the system function fails if any one of the components fail):

P(system failure) = 1 – [P(component A does not fail) x P(B does not fail) x P(C does not fail) x P(B does not fail)] = 1 – [(0.9357)(0.9083)(0.925)(0.9083)] = 1 - 0.71406 = 0.28594 per 1 million operational hours

Component name

Component type

P(failure) per 1 million operational

hours

P(success)

100 A 0.0643 0.9357101 B 0.0917 0.9083102 C 0.075 0.925103 B 0.0917 0.9083

Given Information:Test Scenarios Operational tests can be conducted to provide an

estimate of failure for certain system components EX) We can run a series of tests on a fire

suppression system and note when the fire is extinguished.Define a success here as an event where the fire is

extinguished in less than 60 seconds from system activation.

If we conduct 10 tests, and the system fails to extinguish the fire in under a minute once, we have P(failure) = 0.1This is not incredibly accurate due to the small sample

size

Standard Calculations:Event Types Let qi(t) = P(Failure of unit i occurs at time t) Different types of events:

1. Non-repairable unit○ Unit i is not repaired when a failure occurs○ Failure rate of λi

○ qi(t) = 1 − e−λit ≈ λit 2. Repairable unit (repaired when failure occurs)○ Unit i is repaired when a failure occurs and is assumed

to be as good as new following a repair○ Failure rate of λi

○ Mean Time to Repair of MTTRi

○ qi(t) ≈ λit x MTTRi

Standard Calculations:Event Types

3. Periodically tested (hidden failures)○ Unit i is tested periodically with test interval τ○ Failure may occur at any time in the test interval, but the

failure is only detected in a test or if a demand for the unit occurs.

○ Typical for safety-critical units (ie: smoke detectors)○ Failure rate of λi

○ Test interval of τ i

○ qi(t) ≈ λi x τ i

24. On-demand probability○ Unit i is not active during normal operation, but may be

subject to one or more demands○ Often used for human (operator) error○ qi(t) = P(i fails on request)

Standard Calculations: Why is Human Error important? Human beings are an integral part of any system, so we cannot

accurately estimate the probability of failure without taking people into consideration

“Estimates of the probability that a person will, for example, have a moment’s forgetfulness or lapse of attention and forget to close a valve or close the wrong valve, press the wrong button, make a mistake in arithmetic, and so on… They are not estimates of the probability of error due to poor training or instructions, lack of physical or mental ability, lack of motivation, or poor management”

“… Because so much judgment is involved, it is tempting for those who wish to do so to try to ‘jiggle’ the figures to get the answers they want… Anyone who uses estimates of human reliability outside the usual ranges should be expected to justify them.” – An Engineer’s View of Human Error by Trevor Kletz

Standard Calculations: Human Error Probability

Human Error Probability ParametersType of Activity:• Simple, routine• Requiring attention, routine• Not routine

K1

0.0010.010.1

Temporary Stress Factor for routine activities, seconds available:• 2 • 10• 20

K2

101 0.5

Temporary Stress Factor for non-routine activities, seconds available:• 3• 30• 45• 60

K2

1010.30.1

P (Human Error) ≈ K1 x K2 x K3 x K4 x K5

Standard Calculations: Human Error Probability

Human Error Probability Parameters, continuedOperator Qualifications:• Carefully selected, expert, well-trained• Average knowledge and training• Little knowledge, poorly trained

K3

0.513

Activity Anxiety Factor:• Situation of grave emergency• Situation of potential emergency• Normal situation

K4

321

Activity Ergonomic Factor:• Excellent microclimate, excellent interface with plant• Good microclimate, good interface with plant• Discrete microclimate, discrete interface with plant• Discrete microclimate, poor interface with plant• Worst microclimate, poor interface with plant

K5

0.113710

Standard Calculations: Human Error Probability Consider one scenario:

Type of activity: Requiring attention, routine K1 = 0.01 Stress factor: More than 20 seconds available K2 = 0.5 Operational qualities: Average knowledge and training K3 =

1 Activity anxiety factor: Potential emergency K4 = 2 Activity ergonomic factor: Good microclimate, good interface

with plant K5 = 1

P (Human Error) ≈ K1 x K2 x K3 x K4 x K5 = 0.01 x 0.5 x 1 x 2 x 1 = 0.01

In this situation, a person will fail 1% of the time

This falls into the PROBABLE category

Back to a Fault Tree Example…

Alarm clock does not wake

you up

Alarm clock failure

You don’t hear it

Main (plug-in) clock failure

Backup (wind-up) clock failure

Faulty clock

Power outag

e

Forgot to set (or set incorrectl

y)

Electrical Fault

Faulty clock

Forget to set (or set incorrectl

y)

Forget to

wind

Mechanical Fault

Alarm clock does not wake

you up

Alarm clock failure

You don’t hear it

negligible

Main (plug-in) clock failure

Backup (wind-up) clock failure

Faulty clock

Power outage

P = 0.012

Forgot to set (or set

incorrectly) P = 0.008

Electrical Fault

P = 0.0003

Faulty clockP =

0.0004

Forget to set (or set

incorrectly)P = 0.008

Forget to wind

P = 0.012

Mechanical Fault

P = 0.0004

Probability that the Backup (wind-up) clock fails?

P (backup clock failure) = P (faulty clock) + P (forget to wind) + P (forget to set)

P (backup clock failure) = 0.0004 + 0.012 + 0.008

P (backup clock failure) = 0.0204

Backup (wind-up) clock failure

Faulty ClockP =

0.0004

Forget to set (or set

incorrectly)P = 0.008

Forget to wind

P = 0.012

Probability that the Main (plug-in) clock fails?

P (main clock failure) = P (power outage) + P (faulty clock) + P (forget to set)

P(main clock failure) = 0.012 + (0.0003 +0.0004) + 0.008

P(main clock failure) = 0.012 + 0.0007 +0.008

P(main clock failure) = 0.0207

Main (plug-in) clock failure

Faulty clock

Power outage

P = 0.012

Forgot to set (or set

incorrectly) P = 0.008

Electrical Fault

P = 0.0003

Mechanical Fault

P = 0.0004

Probability that the Alarm Clock Does Not Wake You Up?

P (Alarm Clock Failure) = P (Main Clock Failure) + P (Backup Clock Failure) = 0.0207 x 0.0204 = 0.0oo422

P (Alarm Clock Does Not Wake You Up) = P (Alarm Clock Failure) + P (You Don’t Hear It)

P (Alarm Clock Does Not Wake You Up) = 0.000422 = 4.22 x 10-4

This falls into the REMOTE category

Alarm clock does not wake

you up

Alarm clock failure

You don’t hear it

negligible

Main (plug-in) clock failureP = 0.0207

Backup (wind-up) clock failureP = 0.0204

Conclusions System Safety is a risk management strategy based

on identifying, analyzing, and eliminating or mitigating hazards using a systems-based approach.

Hazards are evaluated and analyzed based on the severity and probability values for their corresponding mishap.

Probability values can be obtained by using basic probability rules and boolean logic in addition to historical data, published failure values, an understanding of potential failure paths in a system, and some simple calculations.

The allows us to quantitatively analyze risk levels and make an informed recommendation /decision.

Sources MIL_STD 882C Introduction to System Safety: Tutorial for the 19th

International System Safety Conference by Dick Church An Engineer’s View of Human Error by Trevor Kletz For all Practical Purposes: Mathematical Literacy in

Today’s World, 7th edition http://www.navsea.navy.mil/nswc/dahlgren/default.aspx http://www.system-safety.org/about/ http://www.weibull.com/basics/fault-tree/index.htm http://www.fault-tree.net/papers/andrews-fta-tutor.pdf http://www.fault-tree-analysis-software.com/fault-tree-an

alysis-basics.html

http://www.ntnu.no/ross/srt/slides/fta.pdf