Safety certification of airborne software: An empirical study

Many safety-critical aircraft functions are software-enabled. Airborne software must be audited and approved by the aerospace certification authorities prior to deployment. The auditing process is time-consuming, and its outcome is unpredictable, due to the criticality and complex nature of airborne software. To ensure that the engineering of airborne software is systematically regulated and is auditable, certification authorities mandate compliance with safety standards that detail industrial best practice. This paper reviews existing practices in software safety certification. It also explores how software safety audits are performed in the civil aerospace domain. The paper then proposes a statistical method for supporting software safety audits by collecting and analysing data about the software throughout its lifecycle. This method is then empirically evaluated through an industrial case study based on data collected from 9 aerospace projects covering 58 software releases. The results of this case study show that our proposed method can help the certification authorities and the software and safety engineers to gain confidence in the certification readiness of airborne software and predict the likely outcome of the audits. The results also highlight some confidentiality issues concerning the management and retention of sensitive data generated from safety-critical projects.     

Keys to effective third-party process safety audits

The Occupational Safety and Health Administration's (OSHA's) Process Safety Management (PSM) regulation was promulgated in 1992. The U.S. Environmental Protection Agency's (EPA's) corresponding Risk Management Program (RMP) rule followed in 1996. Both programs include requirements for triennial compliance audits. Effective compliance audits are critical in identifying program weaknesses and ensuring the safety of facility personnel and the surrounding public. Large companies with corporate and facility health, safety, and environmental groups typically have the resources and experience to conduct audits internally, either through a corporate audit team or the sharing of personnel between multiple facilities. Small to medium sized businesses frequently do not have the expertise or the resources to perform compliance audits, and rely on third-party consultants to provide these services. This paper will discuss the observations of the authors in performing audits and working with PSM/RMP programs across a number of market sectors (e.g. chemical, petrochemical, pharmaceutical, food and beverage, water treatment), including effective practices, hurdles to successful implementation and execution of programs, and typical program shortcomings. The paper will also discuss steps to improve the audit process and increase effectiveness whether performed by a third party or internally.     

食品安全追溯方法研究

追溯系统是食品质量安全管理的有效手段,能够推动安全放心的食品生产和销售。一个有效的食品安全追溯体系和应用系统,对于危害问题源头的查找和产品流向的追踪能够起到至关重要的作用。本文对食品安全追溯的内涵及实现要素进行了分析,重点研究了当前已有的食品安全溯源方法。     

Optimized work control process to improve safety and reliability in a risk-based and deregulated environment

This paper provides an overview of strategic models to assist power generating plants to improve their work control processes. These models include mechanisms to continually keep the process up to date. Included in the work control process are elements for system cost/performance analysis, life-cycle maintenance planning, on-line scheduling and look-ahead techniques, and schedule implementation to conduct work on the asset. The paper also discusses how risk management associated with work control issues that effect the safety and reliability, as well as O and M costs, is integrated into this strategy.The work control process is a pervasive and critical element in the successful implementation of operations and work management programs. While providing a method to implement maintenance activities in a cost-effective manner, the work control process improves plant safety and system reliability.     

The ‘PROCESO’ index: a new methodology for the evaluation of operational safety in the chemical industry

The acknowledgement of industrial installations as complex systems in the early 1980s outstands as a milestone in the path to operational safety. Process plants are social–technical complex systems of a dynamic nature, whose properties depend not only on their components, but also on the inter-relations among them. A comprehensive assessment of operational safety requires a systemic approach, i.e. an integrated framework that includes all the relevant factors influencing safety. Risk analysis methodologies and safety management systems head the list of methods that point in this direction, but they normally require important plant resources. As a consequence, their use is frequently restricted to especially dangerous processes often driven by compliance with legal requirements. In this work a new safety index for the chemical industry, termed the ‘Proceso’ Index (standing for the Spanish terms for PROCedure for the Evaluation of Operational Safety), has been developed. PROCESO is based on the principles of systems theory, has a tree-like structure and considers 25 areas to guide the review of plant safety. The method uses indicators whose respective weight values have been obtained via an expert judgement technique. This paper describes the steps followed to develop this new Operational Safety Index, explains its structure and illustrates its application to process plants.     

Symptom based diagnostic system for nuclear power plant operations using artificial neural networks

Nuclear power plant experiences a number of transients during its operations. These transients may be due to equipment failure, malfunctioning of process systems and unavailability of safety systems. In such a situation, the plant may result into an abnormal state which is undesired. In case of an undesired plant condition generally known as an initiating event (IE), the operator has to carry out diagnostic and corrective actions. The operator's response may be too late to mitigate or minimize the negative consequences in such scenarios. The objective of this work is to develop an operator support system based on artificial neural networks that will assist the operator to identify the IEs at the earliest stages of their developments. These abnormal plant conditions must be diagnosed and identified through the process instrument readings. A symptom based diagnostic system has been developed to investigate the IEs. The event identification is carried out by using resilient back propagation neural network algorithm. Whenever an event is detected, the system will display the necessary operator actions in addition to the type of IE. The system will also show the graphical trend of relevant parameters. The developed system is able to identify the eight IEs of Narora Atomic Power Station. This paper describes the features of the diagnostic system taking one of the IEs as a case study.     

Evaluating management of large,complex projects: A framework for analysis

Increasingly owners and managers of large, complex projects are challenged in law suits and regulatory proceedings to justify their decisions. These challenges often question the prudence or reasonableness of management actions on a project costing substantially more than its original estimate. Frequently these attacks criticize decisions made years earlier by project owners or managers. This article describes a framework for evaluating management prudence based on the author's 20 years of research and personal experience with large, complex projects. The framework distinguishes between evaluations to determine prudent/imprudent management, and conventional “lessons learned” management audits. The author concludes that, while hindsight knowledge is a useful ingredient in “lessons learned” audits, it usually provides misleading signals for a management audit to determine prudence or imprudence. He concludes that any finding of management imprudence must meet the eight criteria described in the framework.     

Plant functional modelling as a basis for assessing the impact of management on plant safety

A major objective of the present work is to provide means for representing a chemical process plant as a socio-technical system, so as to allow hazard identification at a high level in order to identify major targets for safety development. The main phases of the methodology are: (1) preparation of a plant functional model where a set of plant functions describes coherently hardware, software, operations, work organization and other safety related aspects. The basic principle is that any aspect of the plant can be represented by an object based upon an Intent and associated with each Intent are Methods, by which the Intent is realized, and Constraints, which limit the Intent. (2) Plant level hazard identification based on keywords/checklists and the functional model. (3) Development of incident scenarios and selection of hazardous situation with different safety characteristics. (4) Evaluation of the impact of management on plant safety through interviews. (5) Identification of safety critical ways of action in the management system, i.e. identification of possible error- and violation-producing conditions.     

Safety management practices and safety behaviour: Assessing the mediating role of safety knowledge and motivation

Safety management practices not only improve working conditions but also positively influence employees’ attitudes and behaviours with regard to safety, thereby reducing accidents in workplace. This study measured employees’ perceptions on six safety management practices and self-reported safety knowledge, safety motivation, safety compliance and safety participation by conducting a survey using questionnaire among 1566 employees belonging to eight major accident hazard process industrial units in Kerala, a state in southern part of India. The reliability and unidimesionality of all the scales were found acceptable. Path analysis using AMOS-4 software showed that some of the safety management practices have direct and indirect relations with the safety performance components, namely, safety compliance and safety participation. Safety knowledge and safety motivation were found to be the key mediators in explaining these relationships. Safety training was identified as the most important safety management practice that predicts safety knowledge, safety motivation, safety compliance and safety participation. These findings provide valuable guidance for researchers and practitioners for identifying the mechanisms by which they can improve safety of workplace.     

Quality assurance growing pains: a state perspective on implementing an organizational-wide quality system in environmental laboratories.

To implement an effective and efficient quality system in a network of established environmental testing laboratories requires a committed long-term effort that is potentially fraught with multiple obstacles. This presentation discusses one state's ongoing efforts at implementing such a system. First is the need to convince management of the rationale for a quality systems-based approach versus the traditional QA/QC program. Once development of a quality system has been sanctioned, a team-based approach utilizing project planning tools is a good way to approach the effort. Resources are assigned to the development of key quality system components, and generally a phased-deployment or roll-out works best. Once implementation is underway, assuring operational utilization and compliance with the quality system are vital steps in the process. Important to successful implementation is ongoing assessment and refinement of the quality system. Fundamental and key elements of the laboratory quality system are numerous and need to work in concert with each other. Quality system elements to be discussed in the presentation range from management and QA roles and functions to the typical documentation of laboratory policies and procedures. Numerous QA assessment tools and other vital quality system practices that play an important role in making a complete quality system are addressed. In addition, efforts must be undertaken to integrate the laboratory quality system with other management systems within the organization. The bottom line is that all environmental laboratories need a quality system more now than ever. Data users need it. Customers' expectations for data quality are high. USEPA policy and/or programs call for it. Additionally, good quality systems can benefit the organization in multiple ways and help avoid the "pay-me-now or pay-me-later" syndrome. In conclusion, all environmental testing laboratories (i.e., academic, private, commercial and especially governmental) need to invest in and implement a quality system based on a recognized standard (e.g., NELAC, ISO 17025, ANSI/ASQC E-4). The author recommends pursuing NELAP laboratory accreditation with a NELAP-recognized accrediting authority.     

IEC 61511 and the capital project process--a protective management system approach

This year, the process industry has reached an important milestone in process safety-the acceptance of an internationally recognized standard for safety instrumented systems (SIS). This standard, IEC 61511, documents good engineering practice for the assessment, design, operation, maintenance, and management of SISs. The foundation of the standard is established by several requirements in Part 1, Clauses 5-7, which cover the development of a management system aimed at ensuring that functional safety is achieved. The management system includes a quality assurance process for the entire SIS lifecycle, requiring the development of procedures, identification of resources and acquisition of tools. For maximum benefit, the deliverables and quality control checks required by the standard should be integrated into the capital project process, addressing safety, environmental, plant productivity, and asset protection. Industry has become inundated with a multitude of programs focusing on safety, quality, and cost performance. This paper introduces a protective management system, which builds upon the work process identified in IEC 61511. Typical capital project phases are integrated with the management system to yield one comprehensive program to efficiently manage process risk. Finally, the paper highlights areas where internal practices or guidelines should be developed to improve program performance and cost effectiveness.     

Process safety management in the pipeline industry: parallels and differences between the pipeline integrity management (IMP) rule of the Office of Pipeline Safety and the PSM/RMP approach for process facilities

In 2001, the Federal Office of Pipeline Safety promulgated its pipeline integrity management rule for hazardous liquid pipelines. A notice of proposed rule making for a similar rule for gas pipelines was issued in January 2003. A final rule must be in place by the end of 2003. These rules derive from formal risk management initiatives of both the pipeline industry and the regulators beginning in the early to mid-1990s. The initiatives and resulting rules built on many of the process safety and risk management concepts and frameworks of the process industries, as modified for pipelines. Looking closely at the parallels and the differences is an interesting study of how the technical, public and industry-specific requirements affect the types of regulations, supporting management system frameworks and the technical activities for improving hazardous materials process safety. This paper is based on the experience of the author in project work with federal and state regulators and with industry groups and companies, in both the process and pipeline industries over the last 17 years. It provides insights into various alternative pathways for communicating process safety concepts and improving process safety as the concepts are translated into specific company and even individual employee actions. It specifically highlights how the commonalities and differences in the types and configurations of physical assets and operating practices of the pipeline companies and process facilities affect respective cultures, language and actions for process safety management.     

Plant and safety system model

The design and development of a digital computer-based safety system for a nuclear power plant is a complex process. The process of design and product development must result in a final product free of critical errors; operational safety of nuclear power plants must not be compromised. This paper focuses on the development of a safety system model to assist designers, developers, and regulators in establishing and evaluating requirements for a digital computer-based safety system. The model addresses hardware, software, and human elements for use in the requirements definition process. The purpose of the safety system model is to assist and serve as a guide to humans in the cognitive reasoning process of establishing requirements. The goals in the use of the model are to: (1) enhance the completeness of the requirements and (2) reduce the number of errors associated with the requirements definition phase of a project.     

Adapting the application of risk analysis in offshore platform design to new framework conditions

This paper reviews results and experiences from a problem driven method development process within an ongoing oil field development project. Primary driving forces have been the NORSOK initiative to reduce overall project costs and new legislation on health, safety and environment. Four cases are presented, where risk analysis methods and practices have been changed to meet new needs. These cover needs of input to the selection of one platform concept from alternative standard concepts, specification and qualification of cost-efficient safety measures and analysis of the risk of occupational accidents. It is concluded that research may support the development processes through systematic evaluation and documentation. Significant areas of interest are standardization of risk acceptance criteria, development of risk analysis methods for special applications and evaluations of safety management programmes.     

Seismic probabilistic risk assessment and seismic margins studies for nuclear power plants

This paper reviews the seismic probabilistic risk assessment and seismic margins studies for nuclear power plants in the United States. The techniques employed in these studies are briefly described. A few comments on the evaluation of the fragility of structures and equipment are discussed. Seismic PRA is a systematic process to evaluate the safety of nuclear power plants. In the process, it integrates all the elements such as seismic hazard, component fragility and plant system. Thus, it provides the overall view of the safety of an entire plant under a seismic event.

The major tasks of a seismic PRA such as the evaluation of hazard curves, component fragility and plant system are also present in probabilistic analyses of nonnuclear facilities. The concept and technique embodied in seismic PRA for nuclear power plants can be applied to other types of engineering facilities.     

Can non-regulators audit Independent Ethic Committees (IEC), and if so, how?

A number of guidelines and directives have reinforced the need for a more formalised approach to Independent Ethic Committees (IECs) and support the need to audit IECs. The key elements of an audit of an IEC are reviewed within the context of the European Guidelines for Auditing Independent Ethics Committees published by the European Forum for Good Clinical Practice (EFGCP). Auditing requirements in these recent guidelines and the EU Clinical Trial Directive are discussed as well as the methodology and type of documentation and SOPs that should be present at an audit. It is argued that both inspectorates and independent auditors need to conduct such audits to improve the overall global standard.     

Developing an RFID-based tracking system to improve the control of construction surplus soil disposal in Taiwan

The current tracking system for construction surplus disposal soil report system (CSRS) in Taiwan is labor-intensive and prone to human error, with its accuracy and effectiveness often questioned. Radio-frequency identification (RFID) is a wireless sensing technology that uses radio waves and signals to wirelessly transmit, retrieve, and store data to identify the status of objects and contents. It can be read at long ranges and be operated in extreme environments. This paper has improved the existing construction surplus soil tracking system by developing an integrated RFID-based tracking system (RFID-CSRS). To accommodate the characteristics of the domain problems, RFID-CSRS integrates RFID technology with Internet infrastructure, cameras, and signal controlling units. The proposed system reduces human errors, such as incorrect manual recording and identification, inaccurate monthly reports and audits, and improper picture-taking of trucks. RFID-CSRS was also assembled and tested in two surplus soil disposal cases in Taiwan. The results demonstrated the soundness of the system and its capability to improve the effectiveness of the current system in tracking the disposal of construction surplus soil.     

Analysis and insights from a dynamical model of nuclear plant safety risk

In this paper, we expand upon previously reported results of a dynamical systems model for the impact of plant processes and programmatic performance on nuclear plant safety risk. We utilize both analytical techniques and numerical simulations typical of the analysis of nonlinear dynamical systems to obtain insights important for effective risk management. This includes use of bifurcation diagrams to show that period doubling bifurcations and regions of chaotic dynamics can occur. We also investigate the impact of risk mitigating functions (equipment reliability and loss prevention) on plant safety risk and demonstrate that these functions are capable of improving risk to levels that are better than those that are represented in a traditional risk assessment. Next, we analyze the system response to the presence of external noise and obtain some conclusions with respect to the allocation of resources to ensure that safety is maintained at optimal levels. In particular, we demonstrate that the model supports the importance of management and regulator attention to plants that have demonstrated poor performance by providing an external stimulus to obtain desired improvements. Equally important, the model suggests that excessive intervention, by either plant management or regulatory authorities, can have a deleterious impact on safety for plants that are operating with very effective programs and processes. Finally, we propose a modification to the model that accounts for the impact of plant risk culture on process performance and plant safety risk. We then use numerical simulations to demonstrate the important safety benefits of a strong risk culture.