Nicolas Dulac

Moving Beyond Normal Accidents and High Reliability Organizations: A Systems Approach to Safety in Complex Systems

In this century society faces increasingly large-scale accidents and risks emerging from our own wondrous technologies. Two prominent organizational approaches to safety, Normal Accident Theory and High Reliability Organizations, have focused attention on a variety of industries that deal with hazardous situations, developed concepts to explicate organizational structure and culture, and debated whether accidents are inevitable in complex systems. We outline these approaches and identify some limitations, including narrow definitions, ambiguity about key concepts, confusion of reliability and safety, and overly pessimistic or optimistic conclusions. We believe that the debate between NAT and HRO can become a more productive three-way conversation by including a systems approach to safety emerging from engineering disciplines. The more comprehensive systems approach clarifies the strengths and weaknesses of NAT and HRO and offers a more powerful repertoire of analytic tools and intervention strategies to manage and control post modern risk in complex, high-tech, systems with their potential for catastrophic disruptions and losses.

On the use of visualization in formal requirements specification

A limiting factor in the industrial acceptance of formal specifications is their readability, particularly for large, complex engineering systems. We hypothesize that multiple visualizations generated from a common model will improve the, requirements creation, reviewing and understanding, process. Visual representations, when effective, provide cognitive support by highlighting the most relevant interactions and aspects of a specification for a particular use. In this paper, we propose a taxonomy and some preliminary principles for designing visual representations of formal specifications. The taxonomy and principles are illustrated by sample visualizations we created while trying to understand a formal specification of the MD-11 flight management system.

Application of a Safety-Driven Design Methodology to an Outer Planet Exploration Mission

Traditional requirements specification and hazard analysis techniques have not kept pace with the increasing complexity and constraints of modern space systems development. These techniques are incomplete and often consider safety late in the development cycle when the most significant design decisions have already been made. The lack of an integrated approach to perform safety-driven system development from the beginning of the system lifecycle hinders the ability to create safe space systems on time and within budget. To address this need, the authors have created an integrated methodology for safety-driven system development that combines four state-of-the-art techniques: 1) intent specification, a framework for organizing system development and operational information in a hierarchical structure; 2) the STAMP model of accident causation, a system-theoretic framework upon which to base more powerful safety engineering techniques; 3) STAMP-based hazard analysis (STPA); and 4) state analysis, a model-based systems engineering approach. The iterative approach specified in the methodology employs state analysis in the modeling of system behavior. STPA is used to identify system hazards and the constraints that must be enforced to mitigate these hazards. Finally, intent specification is used to document traceability of behavioral requirements and subject them to formal analysis using the SpecTRM-RL software package. In this paper, the application of this methodology is demonstrated through the specification of a spacecraft high gain antenna pointing mechanism for a hypothetical outer planet exploration mission.

Safety and Risk -Driven Design in Complex Systems -of - Systems

*† More powerful, next -generation approaches to safety management and safety -driven design and decision -making are required in order to meet the mission safety and assurance goals for human space exploration in an affordable and effective way. The assumptions underlying our current safety and mission assurance approaches do not match the basic properties of some new types of hardware technology, particularly digital hardware, software, complex human decision -making and human -automation interaction, and accidents that arise from dysfunctional system component interactions rather than component failures. This p aper describes a new model of accident causation, called STAMP (System -Theoretic Accident Model and Processes), that integrates all elements of risk, including technical, organizational, and social. The new model provides the foundation for next -generation hazard analysis techniques, more comprehensive incident and accident root cause analysis, and continuous risk management systems to enhance decision -making in complex systems -of -systems. I. Introduction O achieve the levels of safety and reliability requ ired for successful space exploration, more powerful safety analysis and design techniques will be needed. Traditional hazard analysis and risk assessment techniques (such as Fault Tree Analysis, FMEA/CIL, and Probabilistic Risk Assessment) were created fo r mechanical systems and later extended to electro -mechanical systems and are better at evaluating completed designs than driving early design decisions. They rest on the assumption that accidents result from component failure and thus miss the increasingl y common accidents resulting from interactions among systems and components —such as foam hitting the Orbiter RCC panels or software thinking the spacecraft has landed and cutting off the descent engines prematurely. When building systems -of -systems that ar e software -intensive and require complex human decision making and human -automation interaction as well as distributed decision -making, today’s techniques are inadequate —extremely expensive to apply and capable of only limited results. The complexities inv olved in the interactions among components in sophisticated spacecraft and systems -of -systems overwhelm existing safety engineering techniques based on analyzing individual component failure, do not handle components like software (which is essentially des ign abstracted from its physical representation and thus does not ``fail’’), and present sometimes overwhelming challenges to organizations managing such complex systems. Billions of dollars have been lost in spacecraft mishaps in the past few years, inclu ding the Ariane 501, various Titan launch mishaps, and, of course, Columbia. Every recent Mars mission has run into software problems. This paper describes an approach to safety management and safety -driven design that overcomes the limitations of cur rent safety analysis and risk management techniques. The approach rests on a new model of accident causation called STAMP (Systems -Theoretic Accident Modeling and Processes), which extends the types of accidents that can be handled today. STAMP integrates all elements of risk, including technical, organizational and social. Note that safety here is not limited to human safety and crew survival, but also includes loss of mission, loss of equipment, and negative environmental impacts.

Using system dynamics for safety and risk management in complex engineering systems

This paper presents a new approach to modeling and analyzing organizational culture, particularly safety culture. We have been experimentally applying it to the NASA manned space program as part of our goal to create a powerful new approach to risk management in complex systems. We describe the approach and give sample results of its applications to understand the factors involved in the Columbia accident and to perform a risk analysis of the new Independent Technical Authority (ITA) structure for NASA, which was introduced to improve safety-related decision-making

Engineering Spacecraft Mission Software using a Model-Based and Safety-Driven Design Methodology

This paper outlines an integrated approach to system, software, and safety engineering for today’s complex, safety-critical systems. Intent Specifications, component-based systems engineering, and a new hazard analysis technique based on the Systems Theoretic Accident Modeling and Process (STAMP) are all combined in a seamless, safety-driven design methodology. This integrated approach to system software development is demonstrated through an example application of the techniques on a low-Earth orbiting satellite. The results of performing the system modeling, hazard analyses, and model simulations of the spacecraft as a whole are also presented. Finally, the approach is compared to other, current model-based systems engineering and hazard analysis techniques.