System Safety Analysis: Applying Techniques of Interaction, Interface, and Integrated Hazard Analyses

Abstract

Interactive, interface, and integrated hazard analyses have been defined and applied for many years to evaluate: the human, software, firmware, hardware, and environmental elements of a complex system (SOS or FOS), with different levels of abstraction. From a system safety perspective these elements and levels of abstraction may be analyzed with specific safety analytical techniques, (which may include software, hardware, human, and environmental hazard analyses methods), that are suited for each of the specific elements. However, there are system risks (potential system accidents) to be considered; a system accident may be comprised of many initiating, contributory, and primary hazards (hazardous actions or inactions, or activities); which can be the result of inappropriate interactions, interfaces, and integration between the human, software, firmware, hardware, and/or environment (ref. 1). How does the analyst conduct such integrated hazard analyses to address adverse interactions and interfaces of all the elements of a complex SOS or FOS? This discussion addresses methods to enable integrated hazard analysis.

Further, discussion includes several cognitive thought processes and abstractions that are appropriate to conduct successful integration. These mindsets may be acquired during the practice of system engineering. Some of these thought processes are apparent and some are not so obvious. There are also various abstractions on how the system analysts can define or look at the system holistically. Given these abstractions the analyst must keep in mind the real-world, the actual reality associated with the system. Below are different views or perspectives in which a system concept can be defined.?

Introduction

In the evaluation of SOS or FOS the concept of a system accident comes to mind. The system accident is comprised of inappropriate actions or inactions or activities that are combined and form system hazards within a complex system, SOS, or FOS. These unsuitable hazardous actions or inactions or activities are harmful interactions that cross interfaces and develop into an adverse integration…a system accident or present a system risk. A system risk can be looked upon as a potential system accident that can adversely affect the SOS or FOS. There are systemic and synergistic risks to be addressed. A systemic risk includes concepts of collectiveness and commonality…the actions or activities line up in a particular way to form an adverse sequence or sequences. A synergistic risk addresses incompatibilities and combinatorial circumstances. Incompatibilities within the system may include such situations as timing, functionality, synchronization, unforeseeable chemical reactions, inadvertent actions, material incompatibilities, physics of failure, and combinational effects such as electrochemical, thermal-kinetic, any other abnormal energy releases.

With the application of interactive, interfaces, and integrated hazard analyses methods system risks (or SOS/FOS risks) can be identified, eliminated, or controlled. The keys to such analyses are to understand hazardous actions or inactions or activities that can have an adverse effect on the system, SOS, or FOS under evaluation; and to apply scenario driven hazard analysis. Since a system risk can be comprised of many hazardous actions or inactions or activities a scenario is to be hypothesized and a model may be developed depicting the event sequencing. Several worksheets or matrixes may be designed to compile the details of the system risks under study.?????

Interactive, Interface, and Integrated Hazard Analyses

When evaluating complex systems consider that any inappropriate action or inaction or activity within or external to the system under evaluation can have an adverse effect which introduces system hazards and risks. An action can be a physical activity, an energetic activity, deciding not to take action, something that functions, something that brings about an outcome, operating parts of a mechanism, abnormal energy exchange, and synergistic physical effects. These actions or inactions or activities may not have been addressed when evaluating system risk with conventional approaches.

Segmentation and decomposition: To conduct interactive, interface, or integrated hazard analyses the system has to be segmented or decomposed into parts; for example: software, hardware, human, and/or environmental elements. Further hazardous actions or inactions within and external to the system elements need to be defined. Semantics are important in that actions or inactions can be described in general or more specific detail depending on need. In defining actions or inactions the analyst may conduct functional analysis of software as an example.?

Hazardous actions or inactions or activities: The next steps within the analyses are to assess the hazardous actions or inactions or activities between segments or decomposed parts of the system, SOS, or FOS. Consider combinations of interaction or inaction or actions between software to software, software to hardware, hardware to hardware, hardware to human, human to human, human to environment, environment to environment. Further, SOS and FOS can also be decomposed into systems and interfaces.??

To limit wheel spinning judgment must be applied in the selection of combinations of actions or inactions or activities to be evaluated. System risks are to be identified throughout the life cycle of the system, SOS, or FOS. There must be a decision made as to how hazard scenarios are to be described between a general to specific level of abstraction. Too general or too specific descriptions will hinder analysis effectively. The analyst must judge the scope and depth limit of the detail provided within the scenario descriptions. This scope and depth limit is also to be reflected in the hazard control or safety requirement descriptions. These descriptive adjustments are needed to provide an inclusive analysis, which considers the life cycle of the system at appropriate levels of detail to assure hazard control.???

Apply abstract models: Additional judgment is needed during decomposition, in that abstract models may be used. These abstractions may or may not equate to reality.??Note that an actual system accident reflects reality. It is the result of abnormal energy exchange, the physics of failure, and physical adverse progression throughout the system, SOS or FOS. System accidents may not conform to contrivances of design (the elements of the system), the so-called software only or hardware only hazards.?

Define adverse event propagation: After decomposition identify planned or inadvertent actions or inactions or activities, which are considered initiators or contributors and primary hazards that can form system accidents. Further define the adverse event propagation: from initiating, contributory through primary hazards. Lastly eliminate or reduce risk to an acceptable level via appropriate hazard controls.

Hazard control application: Judgment on descriptive detail is also applicable to mitigation design; the nature, complexity, and detail description of hazard controls; which become formal requirements. Further consider the hierarchy of hazard controls and the layering of hazard controls. There may be many hazard controls throughout the potential adverse sequences, which depicts a system risk.??

Example existing techniques: Interactive, interface, or integrated hazard analyses have been discussed throughout system safety literature since system safety inception. Hammer, Haddon, and Johnson (refs. 2-4) had detailed many techniques that can still be appropriately applied today. Some examples include link analysis, abnormal energy exchange, energy analysis, human-machine analysis, flow analysis, and barrier analysis.

Analysis Matrix (Worksheets)

In support of discussion three example worksheets are illustrated below. In some venues hazard analysis worksheets are referred to as matrixes. Worksheets are used to concisely present information applicable to the analysis. There can be numerous variations of worksheet designs to suit a particular analysis. Experienced analysts have used creativity in designing worksheets. Some analysts may prefer a narrative format. The column (matrix) format allows for visual scanning and integration when more extensive efforts are conducted.

Consider hazard scenarios: These analyses are based upon scenario-driven hazard analysis in that the analyst thinks in terms of potential system accidents and hazard scenarios are hypothesized. Scenarios are pictures in the analyst’s mind of potential system accidents, given specific hazards, dynamic sequences, and system states. The matrix is used to depict the propagation of the adverse sequence that is possible given the indicated scenario. Depending on the dynamics of the potential accident… initiators, contributors, and primary hazards can occur at any level of abstraction consider component level, subsystem, system, SOS and/or FOS level. Further the primary hazard (the outcome) can also occur at any level.?

Customize matrixes: Given the logical event sequencing the matrixes can be adapted to conduct bottom up or top-down analysis; subsystem, or system-level analysis as well. Matrix columns can be added to depict event propagation; additional systems, interfaces, and elements are to be included. The three matrixes for example can comprise: component to FOS, system to interface, and element to element approaches.?