System Safety Engineering an Overview for Engineers And

A-P-T Research, Inc.

SSyysstteemmSSaaffeettyyEEnnggiinneeeerriinngg AAnnOOvveerrvviieewwffoorr EEnnggiinneeeerrssaannddMMaannaaggeerrss

P. L. Clemens October 2005 Topics…

• What is System Safety Engineering? • When should System Safety be used? • How is System Safety done? • Who should perform System Safety analyses? • What does System Safety Cost? • Why do System Safety?

M-05-02600-2 What’s a SYSTEM? (and a few other basics)…

• SYSTEM: an entity, at any level of complexity, intended to carry out a function, e.g.: • A doorstop • An operating procedure • An aircraft carrier • An implantable insulin pump • Systems pose HAZARDS. Hazards threaten harm to ASSETS. • ASSETS are RESOURCES having value to be protected, e.g.: • Personnel • The product • The environment • Equipment • Productivity • Reputation • RISK, is an attribute of a hazard-asset combination — a measure of the degree of harm that is posed.

M-05-02600-3 What’s System Safety? It has two chief aspects…

• A DOCTRINE of Management Practice: • Hazards (threats to Assets) abound and must be identified. • Risk is an attribute of a hazard that expresses the degree 1 of the threat posed to an asset — risks must be assessed. • A non-zero Risk Tolerance Limit must be set — a management function. • Risks of Hazards exceeding the Tolerance Limit must be suppressed (or accepted by management). • A Battery of ANALYTICAL METHODS to support practice of the DOCTRINE — The analytical methods are divisible into: 2 • TYPES, addressing What / When / Where the analysis is done • TECHNIQUES, addressing How the analysis is done

M-05-02600-4 The Types & Techniques of Analysis…

TECHNIQUES (How)… TYPES (What / When / Where)… • Preliminary Hazard Analysis • Preliminary Hazard Analysis (PHA*)1/2/3 (PHA*) • Failure Modes and Effects • System Hazard Analysis Analysis (FMEA)1/3 • Subsystem Hazard Analysis • Fault Tree Analysis2/4 • Operating and Support Hazard • Event Tree Analysis3/4 Analysis • Cause-Consequence • Occupational Health Hazard Analysis3/4 Analysis • Hazard & Operability Study • Software Hazard Analysis (HAZOP)1/3 • many others… • Job Hazard Analysis But, 1/3 The TYPES and TECHNIQUES are to… (JHA/JSA) WHAT 1/3 • IDE , and to… • Digraph Analysis NTIF IS • AS Y H . SES AZAR RISK? • many others… S TH DS EIR R ISKS 1 Hazard Inventory 2 Top Down 3 Bottom Up 4 Logic Tree M-05-02600-5 What is RISK?

RISK: An expression of the combined SEV and PRO of HAR to an ASS . ERIT BAB M ET Y ILITY SYSTEM ASSETS* PROGRAMMATIC may be: ASSETS* may be: • Personnel • Cost • Equipment • Schedule • Productivity • Mission • Product • Performance • Environment • Constructability • …others • …others

RISK is an attribute of a THREATS to ASSETS HAZARD-ASSET are called combination! HAZARDS.

M-05-02600-6 Hazards are TTHHRREEAATTSS to AASSSSEETTSS

HAZARDS MUST BE IDENTIFIED! …or System Safety and Risk Management cannot be practiced! HAZARDS… are best described as terse Loss Scenarios, each expressing SOURCE MECHANISM OUTCOME Thusly: “Faulty control logic producing yaw overdrive and model damage.” NOT: “Pranged wind tunnel model.” OR “Occupancy of an unventilated confined space leading to death from asphyxia.” NOT: “Running out of air.”

M-05-02600-7 The Risk Plane…

SEVERITY and PROBABILITY, Cataclysmic the two variables that constitute risk, R = K3 > K2 g n si define a a e k RISK PLANE. r is c R In Likely R = K2> K1

R = P x S = K1 SEVERITY RISK Iso-risk is contours CONSTANT along any ISO-RISK CONTOUR.

PROBABILITY is a function of EXPOSURE 0 INTERVAL. NEVER PROBABILITY

M-05-02600-8 Using ISO-Risk Contours…

ACCEPTANCE: Risk Tolerance Boundaries follow iso-risk contours.

NOT ACCEPTABLE SEVERITY

A PROVISIONALLY ACCEPTABLE Further Risk Reduction Note that risk ACCEPTABLE Desirable. at A equals risk at B. (de minimis)

0 PROBABILITY 0

M-05-02600-9 The Risk Plane Becomes a Matrix…

Segmenting the Risk Plane into tractable cells produces a Matrix to enable using subjective judgment. SEVERITY

F E D C B A

PROBABILITY I

Matrix cell zoning approximates II the continuous, iso-risk contours in

the Risk Plane. Zones in the Matrix SEVERITY III define Risk Tolerance Boundaries. IV Jeopardy PROBABILITY

M-05-02600-10 A Typical Risk Assessment Matrix*…

A guide for applying subjective judgment…

Severity of Consequences Probability of Mishap**

Category / Personnel Equipment Down Descriptive Injury / Loss F E D C B A Word Illness $ Time Impossible Improbable Remote Occasional Probable Frequent

I >4 Catastrophi Death >1M c Mo 1

Severe II 250K 2Wks Injury or to to Critical Severe 2 Illness 1M 4Mo

Minor III 1k 1 Day Injury or to to Marginal Minor 3 Illness 250K 2Wks

IV No Injury <1K <1 Negligible or Illness Day

*Adapted from MIL-STD-882D **Life Cycle: Personnel: 30 yrs / Others: Project Life

Risk Code/ Imperative to Operation requires written, Operation 1 suppress risk 2 time-limited waiver, endorsed 3 permissible Action to lower levels by management

M-05-02600-11 The “Flow” of System Safety Practice…

Program Initiation • Documenting the • Documenting the Eight key Performance Steps SSyysstteemmSSaaffeettyy Approach are distributed through Approach Five Major Functional •• TTaasskkss Elements of the •• SScchheedduullee •• TTeeaamm System Safety Program •• TToooollss

Hazard Identification ••RReeccooggnniizziinngg&& Risk Assessment DDooccuummeennttiinngg UUnnddeerrssttaannddiinngg ••AAsssseessssiinnggMMiisshhaappRRiisskk HHaazzaarrddss HHaazzaarrddss Understanding MMaattuurriinngg Continuous Risk Drivers DDeessiiggnn Hazard Iterative ll Tracking LLiiffee CCyyccllee Risk Reduction MMoonniittoorriinngg Continuous Changes Risk Reduction Risk Acceptance ••IIddeennttiiffyyiinnggMMiittiiggaattiioonnMMeeaassuurreess ••RReessiidduuaallRRiisskk UUnnddeerrssttaannddiinngg Review & RRiisskkOOppttiioonnss ••RReedduucciinnggRRiisskkttooAAcccceeppttaabbllee Review & LLeevveell AAcccceeppttaannccee ••VVeerriiffyyiinnggRRiisskkRReedduuccttiioonn

M-05-02600-12 Major System Safety Cross-Link Disciplines…

• Programmatic Risk Management • The “…ilities” ISN’T RELIABILITY PROGRAMMATIC • Reliability RISK MANAGEMENT ENGINEERING treats its own • Availability ENOUGH? special classes • Maintainability USUALLY NOT! of hazards, posing risk to, • Survivability • Reliability e.g.: • Configuration Management explores the • Cost Probability of • Schedule • Procedures Preparation Success, alone. • Performance • …others… • Constructability • System Safety • …others explores the Probability of Failure AND its Severity Penalty.

M-05-02600-13 Topics…

M-05-02600-14 System* Safety Application throughout Life Cycle…

DON’T OVERLOOK: • Operational / Mission Phases • Maintenance • Decommissioning A typical approach: • Etc…

/ / N N E IO N W IN N T IO O T IO N T D A T D G U T L G P E C A E IN O A IA G I E IL N I L K T R R T IN S C A R L A S E I N E T IG B A TE P IN D N E S A ST SH O N O D E F N LA C D I P LIFE CYCLE

ry to n e ) v IL In C rd / a L z H is is a (P s s H ly s ly a a a n , n A d … A e d n d n re r a e then… T s) a ) t w lt si z A a o u y r a H ic D a l o p H P d - F a / U ( n p ( n d - s i To A n m si a to ly ) t a A REVISIT the ANALYSIS when there is… o n E B A M • Modification of: (F – System Design / Architecture – Applied Stresses (service or environmental) *NOTE – Maintenance Protocol • A “Near Miss” “System” includes hardware, software, procedures, • A Loss Event (to support autopsy) training / certification, maintenance protocol, etc. — the GLOBAL System. M-05-02600-15 Comparing Two Work Models for Design-Build Efforts*…

Review Reliability / Maintainability / Safety / Constructability / other “ilities”

Serial “Traditional” Design Approach

30% 60% 90% Modify / Retrofit / Recover Time Effort / Calendar Saved

Concurrent “Enlightened” Engineering Approach

30% 60% 90% Ongoing Analysis / Review / Crossfeeding Results

• Continuous, iterative feedback of analysis results into design CONCURRENT • Earlier accommodation to findings DESIGN • Manhours and calendar time conserved RESULTS: • Fewer “surprises” / performance-threatening retrofits • Fewer awkward compromises — more coherent design *Journal of the American Society of Safety Engineers; November, 1999 M-05-02600-16 What systems benefit bes by Systtem Safety application? • Use System Safety if the system… • is complex — i.e., interrelationships among elements is not readily apparent, and/or • uses untried or unfamiliar technology, and/or • contains one or more intense energy sources — i.e., energy level and/or quantity is high, and/or • has reputation-threatening potential, and/or • falls under the purview of a mandating regulation (e.g., 29 CFR 1910.119)

M-05-02600-17 Why / When use more specialized analytical techniques?

Top-down Analysis (e.g., Fault Tree Analysis) and / or Bottom-up Analysis (e.g., Failure Modes and Effects Analysis)

• when SYSTEM COMPLEXITY exceeds PHA capability, and/or… • to evaluate risk more precisely in support of RISK ACCEPTANCE DECISIONS, and/or… • to support DESIGN DECISIONS on matters of component selection/system architecture, etc.

M-05-02600-18 Design Decisions — an example…

Risk too high? Then F Go Redundant!

Subsystem A B C 1 Level F Redundancy

But WHERE to redundify? F1 F2 • System? • Subsystem? A B C A´ B´ C´ • Assembly? • Subassembly? • Component? Component 2 Level • Piece Part? F Redundancy

Variations in system architecture, using the same components, can produce profound differences in A A´ B B´ C C´ system reliability and safety!

M-05-02600-19 When should System Safety Analyses be Re-visited? • Has there been a change in… • System design / architecture? • System use / applied stresses (i.e., service stresses / environmental stresses)? • Maintenance protocol? • A “near miss?” • A loss event?

Then, REVIEW / REVISE the ANALYSIS!

M-05-02600-20 Topics…

M-05-02600-21 An Overview of Selected Analytical Techniques… • Preliminary Hazard Analysis • Hazard Inventory • Top-Down, or Bottom-Up, or Inside-Out • Failure Modes and Effects Analysis • Hazard Inventory • Bottom-Up • Fault Tree Analysis • Logic Tree • Top-Down

M-05-02600-22 Preliminary Hazard Analysis*…

• WHAT: Line-item listing of “all” system hazards, with subjective evaluations of severity/probability/risk for each. • HOW: Engineering judgment; intuitive skills; checklists; operational walkthroughs; prior similar work. • ADVANTAGES: Provides inventory of “all” system hazards/risks. • DISADVANTAGES: Incomplete. Ignores combined hazard effects. Conceals total system risk. Non- quantitative.

* Preliminary Hazard Analysis (PHA) is an unfortunate misnomer. The method is best applied early in system life cycle but can be used at any time. It produces a running inventory of system hazards and is a convenient repository for the results of system safety analyses done by any methods that might be used.

M-05-02600-23 Preliminary Hazard Analysis Flow…

RECOGNIZE IDENTIFY ASSESS DEVELOP ASSETS HAZARDS RISK * COUNTERMEASURES (for each Hazard-Asset combination (for unacceptable risks) within each Operational Phase) Personnel CChheecckklliissttss Personnel Countermeasures EEnneerrggyySSoouurrccee should not: IInnvveennttoorryy PPrroobbaabbiilliittyy • introduce new hazards ((ooffWWoorrssttRRiisskkoouuttccoommee)) • impair system EEqquuiippmmeenntt PPrriioorrWWoorrkkwwiitthh performance Similar Systems Similar Systems Selection Criteria: PROBABILITY • Effectiveness OOppeerraattiinngg F E D C B A Product SScceennaarriioo • Cost Product I • Feasibility (Means & WWaallkktthhrroouugghhss 1 Is Risk II 2 Acceptable Schedule) OOppeerraattiioonnaall III 3 ? No ••DDeessiiggnnSSeelleeccttiioonn

Phase Review: SEVERITY Environment Phase Review: Yes ••DDeessiiggnnAAlltteerraattiioonn Environment • Startup IV • Engineered • Standard Run • Engineered DDooccuummeenntt SSaaffeettyyFFeeaattuurreess • Stressed Run ••SSaaffeettyyDDeevviicceess • Standard Stop SSeevveerriittyy ••WWaarrnniinnggDDeevviicceess PPrroodduuccttiivviittyy • Emergency Stop ((ffoorrWWoorrssttRRiisskkoouuttccoommee)) RREEAASSSSEESS ••PPrroocceedduurreess// • Maintenance RRIISSKK TTrraaiinniinngg • …others… EEffffeeccttiivveenneessss Hierarchy ……ootthheerrss…… ……ootthheerrss…… Hierarchy * Matrix Based on MIL-STD-882 ((HHiigghheerriissbbeetttteerr..))

M-05-02600-24 A Typical PHA Worksheet…

HAZARD No. Chem/Int-001 HAZARD TITLE: Flange Seal A-29 Leakage Provide brief name for hazard. REVISED: 7/22/93

HAZARD DESCRIPTION Describe hazard, indicating: source, Flange Seal A-29 leakage, releasing pressurized UnFo3 chemical intermediate from containment system, producing toxic vapors on contact with air and attacking nearby equipment. mechanism, worst-credible outcome.

Identify applicable EXPOSURE INTERVAL 25 years ACTIVITY/PROCESS PHASE: Startup/Standard Operation/Stop/Emergency Shutdown operating phases.

INITIAL RISK ASSESSMENT Identify (X) all applicable asset(s). ADDITIONAL COUNTERMEASURES* (with existing of planned/designed-in countermeasures) Surround flange with sealed annular stainless steel catchment housing, with gravity run- off conduit led to Detecto-BoxTM containing detector/alarm feature and chemical neu- HAZARD ASSET(S): SEVERITY: PROBABILITY: RISK CODE: tralizer (S/W). Inspect flange at two-month intervals and re-gasket during annual plant (check all applicable) (worst credible) (for exposure interval) (from Matrix) maintenance shut-down (P). Provide personal protective equipment and training for re- sponse/cleanup crew (S/P). Personnel: X I D 2 Equipment: X II C 2 For each asset, assess severity, and Describe added countermeasures Downtime: X III C 3 probability for the worst-credible to control Probability / Severity – Environment: O outcome. Show risk (from reduce Risk. 0 assessment matrix) for hazard-asset THESE COUNTERMEASURES Product: O 0 combination “as-is” – i.e., with no MUST BE IN PLACE PRIOR TO added countermeasures. SYSTEM OPERATION!

POST-COUNTERMEASURE RISK ASSESSMENT *Mandatory for Risk Codes 1 & 2, unless permitted by Waiver. (with additional countermeasures in place) Personnel must not be exposed to Risk Code 1 or 2 hazards.

HAZARD ASSET(S): SEVERITY: PROBABILITY: RISK CODE: Code Each Countermeasure: (D) Design Alteration / (E) = Engineered Safety Features (check all applicable) (worst credible) (for exposure interval) (from Matrix) (S) = Safety Devices / (W) = Warning Devices / (P) =Procedures/ Training Personnel: X I E 3 COMMENTS Equipment: X II D 3 Re-evaluate before sign-off — reconsider Environment as asset. Downtime: X III D 3 Reassesses Severity/Probability and show risk (from assessment matrix) for Environment: O 0 original hazard-asset combinations, presuming new countermeasures to be in place, if risk is not acceptable, additional countermeasures must be developed. Product: O 0

Prepared by / Date: Reviewed by / Date: Approved by: (Designer/Analyst) (System Safety Manager) (Project Manager)

M-05-02600-25 Failure Modes and Effects Analysis…

• WHAT: Item-by-item evaluation of consequences of individual failures within system. Evaluates severity and/or risk for each consequence. (Sometimes called Failure Modes, Effects, and Criticality Analysis, when severity and/or risk are assessed.) • HOW: Develops answers to two questions: • (1) How can this item fail? (Modes) • (2) What are system consequences for each failure? (Effects) • ADVANTAGES: Tightly Disciplined. Exhaustively identifies potential single-point failures. • DISADVANTAGES: Ignores combined fault / failure effects. Conceals total system risk. High sensitivity to indenture level selection. Very resource hungry.

M-05-02600-26 Failure Modes and Effects Analysis Flow…

SELECT ITEM EVALUATE ASSESS DEVELOP INDENTURE SEVERITY and RISK * COUNTERMEASURES LEVEL PROBABILITY for (for each Item-Mode-Effect-Asset all MODE-EFFECT (for unacceptable risks) Piece Part combination within each Piece Part combinations on Operational Phase) Countermeasures each ASSET: CCoommppoonneenntt should not: • Personnel PPrroobbaabbiilliittyy • introduce new hazards SSuubbaasssseemmbbllyy • Equipment ((ooffWWoorrssttRRiisskkoouuttccoommee)) • impair system • Product performance AAsssseemmbbllyy • Environment Selection Criteria: SSuubbssyysstteemm • Productivity PROBABILITY • Effectiveness • …others… F E D C B A • Cost SSyysstteemm I • Feasibility (Means & 1 Is Risk Schedule) II 2 Acceptable IDENTIFY III 3 ? No ••DDeessiiggnnSSeelleeccttiioonn

IDENTIFY SEVERITY • Design Alteration EFFECTS of IV Yes • Design Alteration FAILURE MODES FAILURE ••EEnnggiinneeeerreedd (for each ITEM) (in each MODE DDooccuummeenntt SSaaffeettyyFFeeaattuurreess • Safety Devices MMooddee11 for each ITEM) • Safety Devices SSeevveerriittyy ••WWaarrnniinnggDDeevviicceess EEffffeeccttAA ((ffoorrWWoorrssttRRiisskkoouuttccoommee)) RREEAASSSSEESS ••PPrroocceedduurreess// MMooddee22 RRIISSKK TTrraaiinniinngg EEffffeeccttBB MMooddee33 EEffffeeccttCC EEffffeeccttiivveenneessss HHiieerraarrcchhyy MMooddeenn EEffffeeccttNN * Matrix Based on MIL-STD-882 ((HHiigghheerriissbbeetttteerr..))

M-05-02600-27 A Typical FMEA Worksheet…

FMEA No.: N/246.n Sheet 11 of 44 Project No.: Osh-004-92 FAILURE MODES Date.: 6 Feb ‘92 Subsystem.: Illumination AND Prep. by.: R.R. Mohr System.: Headlamp Controls EFFECTS ANALYSIS Rev. by.: S. Perleman Probability Interval.: 20 years Approved by.: G. Roper

T ITEM/ A RISK IDENT. FUNCTIONAL FAILURE FAILURE FAILURE R ASSESSMENT ACTION No. MODE EFFECT G IDENT. CAUSE E Risk REQUIRED/REMARKS T SEV PROB Code R/N.42 Relay K-28 / Open w / Corrosion/or Loss of forward P I D 2 Redesign headlamp circuit to Contacts command mfg.defect/or illumination/ E III D 3 produce headlamp fail-on, w / (normally to close basic coil Impairment of night T I D 2 timed off feature to protect open) failure vision/potential M I D 2 battery, or eliminate relay / use (open) collisions(s) HD Sw. at panel. w/unilluminated obstacles

P: Personnel / E: Equipment / T: Downtime / M: Mission / V: Environment

M-05-02600-28 Fault Tree Analysis…

• WHAT: Symbolic logic modeling of fault paths within system to result in foreseeable loss event — e.g.: sting failure; loss of primary test data; failure to ignite on command; premature ignition; ventilator failure. • HOW: Apply Operations Research logic rules — trace fault / failure paths through system. • ADVANTAGES: Gages system vulnerability to foreseen loss event, subjectively or quantitatively. Guides vulnerability reduction. Supports trade studies. • DISADVANTAGES: Treats only foreseen events, singly. Handles sequence-sensitive scenarios poorly. Resource hungry.

M-05-02600-29 A Fault Tree Example…

Fault Trees TOP event is a PROJECTOR are Severity LAMP QUANTIFIABLE Descriptor. OUTAGE but need not be quantified.

Unresolved Inadvertent Wiring Power Lamp Failure Shutdown Failure Outage Tree shows Probability and its Sources.

Basic No Oper- Trip Internal External Lamp Spare ator and Wiring Wiring Failure Lamp Error Unplug Failure Failure

Fault Tree Analysis is the principal analytical tool used in Probabilistic Risk Assessment. M-05-02600-30 Topics…

M-05-02600-31 Who best performs the analysis?

SOLO ANALYSIS • A Small Team, is with… HAZARDOUS! • Expertise in the appropriate disciplines, and •In-depth understanding of the system, and •Proficiency at applying the System Safety analytical techniques.

ONLY MANAGEMENT can make BUT… RISK ACCEPTANCE decisions!

M-05-02600-32 Topics…

M-05-02600-33 What does System Safety COST?

AN EXAMPLE… • NASA / ARC Unitary Plan Wind Tunnel Modernization • Full-System PHA • FMEA for all “Critical Controls”

5% to 6% of total design project cost

System Safety is “…simply documenting, in an orderly fashion, the thought processes of the prudent engineer.” L. T. Kije 1963 M-05-02600-34 Overcoming the Codeworthiness Shortfall…

Safety effort beyond the codes has payoff*… All Systems and Operations MUST be Codeworthy! Recklessness Philanthropy T o t al Majority-Case Minimum Total Cost

Cost C o s t Codeworthiness (Stockholder Bliss ) : T = C + L Program Costs : Losses : Program Development Man-hours Training Medical Costs Operating Costs Equipment Damage Reviews/Audits Schedule Delays Potential Potential Productivity GEqauinipsment Gains Étc. Fines / Penalties ting Cost L = Étc. m Opera Cost o ty Progra f Losse C = Safe s

Safety Program Effectiveness

*Adapted from: Tarrants, W. E.; “The Measurement of Safety Performance” (Fig. 9.2); Garland; ISBN 0-8240-7170-0 M-05-02600-35 Topics…

•What is System Safety Engineering?

•When should System Safety be used?

•How is System Safety done?

•Who should perform System Safety analyses?

•What does System Safety Cost?

•Why do System Safety?

M-05-02600-36 Why do System Safety?

• to guide design decisions.

• to guide risk acceptance decisions.

•to conform to applicable codes.

•to ensure adequate safeguarding of assets.

•to demonstrate and document “due diligence.”

M-05-02600-37 Isn’t Reliability Engineering Eno ?… ugh

“You don’t need System Safety — we’re doing Reliability Engineering!” No! …not really: BEWARE! RELIABILITY RELIABILITY ENGINEERING ENGINEERING views the probability that the system will operate on • views PROBABILITY alone — command, and throughout ignores SEVERITY. the period of need, with • often ignores potential for CO- unimpaired performance. EXISTING faults (e.g., FMEA). SYSTEM SAFETY views the • Often ignores COMMON probability that the system CAUSE threats. will fail in a way that results in loss, AND the severity of loss.

A system may be very RELIABLE at it’s intended function, and equally reliable at inducing LOSS! M-05-02600-38 A Closing Caveat…

WWee nneevveerr aannaallyyzzee aa ssyysstteemm…… wwee aannaallyyzzee oonnllyy aa ccoonncceeppttuuaall mmooddeell ooff aa ssyysstteemm.. MMaakkee tthhee mmooddeell mmaattcchh tthhee ssyysstteemm aass cclloosseellyy aass ppoossssiibbllee!!

M-05-02600-39 To dig deeper…

•System Engineering “Toolbox” for Design-Oriented Engineers — B. E. Goldberg, et al. A compendium of methods dealing both with hazard recognition/risk assessment and with reliability engineering, this work describes a broad spectrum of analytical techniques. For each technique, the authors present a working level description, advice on applications, application procedure, examples, a description of advantages and limitations, and a bibliography of other resources. — 1994 — NASA Reference Publication 1358; Soft cover; large format; 303 pp

•System Safety and Risk Management — P. L. Clemens and R. J. Simmons. Intended as a guide for engineering college educators, this text presents the basic elements of system safety practice and risk management principles. Lesson-by-lesson chapters and demonstration problems deal with applying selected analytical techniques. Hazard inventory methods are presented, as are logic tree approaches. — 1998 — National Institute for Occupational Safety and Health, Centers for Disease Control and Prevention, Public Health Service; Soft Cover; large format; 282 pp. (NIOSH Order No. 96-37768)

•Safeware — System Safety and Computers — Nancy G. Leveson. An especially learned treatment of system safety viewed as a discipline to be applied in practical ways to the resolution of problems in discovering and managing risk. Fundamentals are treated in depth (e.g., the concept of causality). Analytical methods are presented, and there relative advantages and shortcomings are discussed. The importance of the role of software is emphasized, and problems in developing software risk assessments with reasonable confidence are discussed. Appendices analyze disasters and include a detailed treatment of the six Therac-25 massive overdose cases. — 1995 — Addison-Wesley; Hard cover; 680 pp. (ISBN 0-201-11972-2)

M-05-02600-40 more digging…

•Assurance Technologies — Principles and Practices — Dev G. Raheja. Directed to design engineers at all levels of expertise, this volume devotes separate chapters to each of the product/system assurance technologies — i.e.: reliability engineering, maintainability engineering, system safety engineering, quality assurance engineering, logistics support engineering, human factors engineering, software performance assurance, and system effectiveness. (Introductory material provides background information on the influence of the assurance technologies on profits and on statistical concepts.) The treatment of each topic provides both an overview and in-depth, detailed coverage, with carefully selected illustrative examples. — 1991 — McGraw-Hill, Inc.; Hard cover; 341 pp. (ISBN 0-07-051212-4)

•Loss Prevention in the Process Industries — F. P. Lees. Monumentally important, tutorially prepared, and globally thorough exposition of risk assessment and reliability engineering principles and techniques, generously laced with case studies. — 1996 — Butterworths; Hard cover; Three volumes; 1316 pp. (ISBN 0-7506-1547-8)

M-05-02600-41 Contact Information: Pat Clemens 256.327.3707 A-P-T Research, Inc. [email protected]

M-05-02600-42