System Safety

Abstract

System safety is a well-researched field with well-established terminology. To be able to correctly design for safety, we need to understand hazards and their associated risk. Each hazard may lead to an incident or an accident. The risk associated with each hazard can and needs to be assessed and quantified. In this chapter, we would lay out a procedure for assessing hazards, quantifying risk, and iterating the design until the hazards are removed or risk is reduced to the acceptable level. Our technical systems, therefore, can (and must!) be assessed for safety from the earliest project stages, starting from ideation, through requirements definition, then design and implementation, verification and validation, all the way into deployment and decommissioning.

Appendices

Exercise 3

For the electric scooter with geofencing, discussed in Chaps. 1 and 2, now we need to identify hazards and assess the risk for each of the hazards. Hazards can be identified by assessing the failures of functions of the electric scooter, based on the requirements specification developed in Chap. 2. To assess the failures correctly, consider as many failure modes as possible for each function. You may also use guidewords, such as no, always (stuck), reverse (opposite), more, less, early, and late to help you figure out failure modes. For each of the identified failures, assess whether it is dangerous or not. In case a failure is dangerous, mark it as being a hazard. Then assess the risk for the hazard by using IEC 61508 risk assessment matrix. Mark and shortly describe causal factors for each hazard in the form of a failure chain according to the class of cause (external fault, internal fault, error) (Fig. 3.6).

Fig. 3.6

Example of a hazard and risk evaluation sheet

Your Tasks for the Exercise

• Based on the functional requirements from Chap. 2, now analyze hazards and fill in the hazard and risk evaluation sheet.

• To fill in the sheet, analyze failure modes for at least two functions of your choice. Use guidewords to help you pinpoint the possible failure modes. For each failure mode, create a new row in the sheet. If you determine that the failure is dangerous, mark it as a hazard and assess the risk.

• Risk assessment is done according to the IEC 61508 risk assessment matrix.

• Discuss and describe the failure chain leading to the potential accident. Distinguish between faults (external, internal), errors, and the failure in your description.

To-Do List

• Perform the exercise individually or with your peers. One can share the screen and keep notes, all contribute.

• Create presentables (e.g., drawing, Excel calculation).

• Discuss your solution and share it with others.

Note: Digital files for this exercise are available at sfs3.ex.nit-institute.com

Exercise 3 Template

Exercise 3 Sample Solutions

See several exemplary solutions to the exercise:

Solution 1

Review Comments by the Instructor

• When assessing the probability of a risk, argumentation needs to be provided, targeting failure rates (statistics) based on reports from previous system versions or similar systems. At the very least, the rationale needs to be consistent throughout the PHL (e.g., probability of misuse is always higher than the probability of the failure of mechanical components, which is again higher than the probability of failure of electronics).

• Severity consideration may be impacted by the operation mode; therefore, in the usual PHI, failure mode of the function is combined with each of the operating modes, to lure out all potential hazards related to that function failing. For example, driving speed of the scooter in various operating modes (e.g., pedestrian mode or speed mode) might affect the severity of the risk (e.g., in pedestrian mode, when the scooter is being driven around 5 km/h, we can argue that the driver might “jump off” and prevent the accident in many cases, and that also the severity of impact in some cases may be lower).

• Please make sure to use the guidewords correctly; e.g., if the function is “stuck,” this means it is “always-on,” e.g., always breaking (vs break lever stuck, what is a misinterpretation of the function).

• Please note that in “stuck” failure modes, it is possible not to have a hazard (e.g., always braking, means not available, but indeed safe since the vehicle is not moving). This helps decompose the failure rate of the braking subsystem since not all failures are dangerous (all safe failures, and also all dangerous detectable failures – we will see about those in subsequent lectures and courses – can be disregarded in the final SIL consideration)

Solution 2

Review Comments by the Instructor

• Make sure to properly analyze the environment; harm and damage are not only to the vehicle and the driver but also potentially to other traffic participants. For example, in a sudden folding case, if the scooter is allowed on the roads, heavy consequences can occur to many traffic participants in general, causing potentially many persons harmed.

• Generally, the output you created is really good!

Solution 3

Review Comments by the Instructor

• Be careful about the faults originating from software (bugs). Those are systematic faults and are hard (and usually impossible) to model probabilistically. Instead, specific measures are prescribed for the development (by the standard) to prevent and remove systematic faults. It is good, however, to analyze these kinds of faults and point out the importance of the systematic development, but make sure to balance your PHI so that faults due to misuse, environment (external faults), and also hardware/mechanical wear are also taken into account with enough weight.

Solution 4

Review Comments by the Instructor

• Please see comments to other groups, especially for hazards related to systematic faults in software.

• In case a hazard is not identified, there is no need to assess the risk (no hazard – no risk).

• Improper training and faults due to misuse are great to always consider because many hazards are actuated by a human factor.

• I see you have corrected my other comments from the live session, so now this analysis looks pretty good (in the parts which are completed, of course).

Key Recap Questions

In this chapter, you have been exploring the main concepts of system safety and performing initial steps to identify system hazards. Now, with regard to the system you discussed:

• For each system function, discuss potential failures.

• Are there any hazards involved?

• If so, what are the risks? Try to quantify the risk!

• What caused the failure? Go back following the failure chain!

• What can we do about faults and errors?

Self-assessment

Now take the time to self-assess your knowledge by taking the quiz below. Each listed statement is either correct or incorrect. Please mark your answer and then check in the key at the end of the book.

1. 1.

   System safety deals with methods that need to provide absolute protection from harm or damage.

2. 2.

   A safety belt in the vehicle is a safety measure prescribed by functional safety.

3. 3.

   Reported incidents are an indicator of an imminent accident.

4. 4.

   Hazards always have the same usual targets (people, environment, property) regardless of the safety standard applied for their assessment.

5. 5.

   Hazard A is more serious and shall be prioritized over Hazard B if Hazard A if actuated, causes the death of 100 people, and Hazard B, if actuated, causes the death of 50 people.

6. 6.

   Let us say that for System A, the maintenance phase, which happens once a year, is considered hazardous. One of the ways to remove this hazard is to decrease the frequency of system maintenance.

7. 7.

   A fault in the system is always considered a causal factor for a hazard.

8. 8.

   Errors in the system may lead to dangerous failures of system functions.

9. 9.

   System faults can be detected and removed during the system operation.

10. 10.

    If we detect a dangerous failure of a system function, we may prevent the accident.

Self-assessment Key

1. 1.

   False

2. 2.

   False

3. 3.

   True

4. 4.

   False

5. 5.

   False

6. 6.

   True

7. 7.

   False

8. 8.

   True

9. 9.

   False

10. 10.

    True