LOUIS J. GULLO works for Raytheon Missile Systems, Engineering Product Support Directorate (EPSD), in Tucson, AZ. He is a member of the technical staff and the technical leader for Software Reliability and Safety across Missile Systems. He has worked in the industry for 33 years. He retired as Lieutenant Colonel from the US Army Signal Corps.

JACK DIXON is President of JAMAR International, Inc., in Orlando, FL. He has worked in the defense industry for over 45 years in the areas of system safety, human factors engineering, logistics support, program management, and business development.

Series Editor's Foreword xvii Preface xix Acknowledgments xxiii Introduction: What You Will Learn xxv 1 Design for Safety Paradigms 1Dev Raheja, Louis J. Gullo, and Jack Dixon 1.1 Why Design for System Safety? 1 1.1.1 What Is a System? 1 1.1.2 What Is System Safety? 2 1.1.3 Organizational Perspective 2 1.2 Reflections on the Current State of the Art 2 1.3 Paradigms for Design for Safety 3 1.3.1 Always Aim for Zero Accidents 4 1.3.2 Be Courageous and "Just Say No" 5 1.3.3 Spend Significant Effort on Systems Requirements Analysis 7 1.3.4 Prevent Accidents from Single as well as Multiple Causes 8 1.3.5 If the Solution Costs Too Much Money, Develop a Cheaper Solution 9 1.3.6 Design for Prognostics and Health Monitoring (PHM) to Minimize the Number of Surprise Disastrous Events or Preventable Mishaps 10 1.3.7 Always Analyze Structure and Architecture for Safety of Complex Systems 11 1.3.8 Develop a Comprehensive Safety Training Program to Include Handling of Systems by Operators and Maintainers 12 1.3.9 Taking No Action Is Usually Not an Acceptable Option 12 1.3.10 If You Stop Using Wrong Practices, You Are Likely to Discover the Right Practices 13 1.4 Create Your Own Paradigms 13 1.5 Summary 14 References 14 2 The History of System Safety 17Jack Dixon 2.1 Introduction 17 2.2 Origins of System Safety 18 2.2.1 History of System Safety 19 2.2.2 Evolution of System Safety and Its Definitions 21 2.2.3 The Growth of System Safety 23 2.3 Tools of the Trade 30 2.4 Benefits of System Safety 31 2.5 System Safety Management 34 2.6 Integrating System Safety into the Business Process 34 2.6.1 Contracting for System Safety 34 References 36 Suggestions for Additional Reading 38 3 System Safety Program Planning and Management 39Louis J. Gullo and Jack Dixon 3.1 Management of the System Safety Program 39 3.1.1 System Safety Management Considerations 40 3.1.2 Management Methods and Concepts 41 3.2 Engineering Viewpoint 44 3.2.1 Software Tools 45 3.2.2 Design Concepts and Strategy 45 3.2.3 System Development Process (SDP) 46 3.2.4 Systems Engineering V¿Model 46 3.2.5 Requirements Generation and Analysis 48 3.2.6 System Analysis 49 3.2.7 System Testing 49 3.2.8 Risk Management 50 3.3 Safety Integrated in Systems Engineering 50 3.4 Key Interfaces 51 3.5 Planning, Execution, and Documentation 52 3.5.1 System Safety Program Plan 52 3.5.2 Safety Assessment Report 58 3.5.3 Plans Related to System Safety 60 3.6 System Safety Tasks 61 References 61 Suggestions for Additional Reading 62 4 Managing Risks and Product Liabilities 63Louis J. Gullo and Jack Dixon 4.1 Introduction 63 4.2 Risk 68 4.3 Risk Management 69 4.4 What Happens When the Paradigms for Design for Safety Are Not Followed? 71 4.5 Tort Liability 72 4.6 An Introduction to Product Liability Law 73 4.7 Famous Legal Court Cases Involving Product Liability Law 75 4.8 Negligence 77 4.9 Warnings 79 4.10 The Rush to Market and the Risk of Unknown Hazards 80 4.11 Warranty 81 4.12 The Government Contractor Defense 83 4.13 Legal Conclusions Involving Defective and Unsafe Products 84 References 85 Suggestions for Additional Reading 86 5 Developing System Safety Requirements 87Louis J. Gullo 5.1 Why Do We Need Safety Requirements? 87 5.2 Design for Safety Paradigm 3 Revisited 89 5.3 How Do We Drive System Safety Requirements? 93 5.4 What Is a System Requirement? 94 5.4.1 Performance Specifications 96 5.4.2 Safety Requirement Specification (SRS) 98 5.5 Hazard Control Requirements 98 5.6 Developing Good Requirements 100 5.6.1 Recognize Bad Requirements 101 5.6.2 Requirements at the Top of the Issues List 102 5.6.3 Examples Good Requirements for System Safety 103 5.6.4 Negative versus Positive Requirements 104 5.7 Example of Certification and Validation Requirements for a PSDI 105 5.8 Examples of Requirements from STANAG 4404 111 5.9 Summary 113 References 114 6 System Safety Design Checklists 115Jack Dixon 6.1 Background 115 6.2 Types of Checklists 116 6.2.1 Procedural Checklists 116 6.2.2 Observational Checklists 118 6.2.3 Design Checklists 119 6.3 Use of Checklists 122 References 123 Suggestions for Additional Reading 124 Additional Sources of Checklists 124 7 System Safety Hazard Analysis 125Jack Dixon 7.1 Introduction to Hazard Analyses 125 7.1.1 Definition of Terms 126 7.2 Risk 126 7.3 Design Risk 127 7.3.1 Current State of the Art of Design Risk Management 127 7.3.2 Expression of Risk 127 7.3.3 Risk Management 128 7.4 Design Risk Management Methods and Hazard Analyses 135 7.4.1 Role of Hazard Analysis 135 7.5 Hazard Analysis Tools 136 7.5.1 Preliminary Hazard List 136 7.5.2 Preliminary Hazard Analysis 138 7.5.3 Subsystem Hazard Analysis (SSHA) 140 7.5.4 System Hazard Analysis (SHA) 143 7.5.5 Operating & Support Hazard Analysis (O&SHA) 145 7.5.6 Health Hazard Analysis (HHA) 148 7.6 Hazard Tracking 150 7.7 Summary 152 References 152 Suggestions for Additional Reading 152 8 Failure Modes, Effects, and Criticality Analysis for System Safety 153Louis J. Gullo 8.1 Introduction 153 8.1.1 What Is an FMEA? 154 8.1.2 What Is an FMECA? 154 8.1.3 What Is a Single Point Failure? 155 8.1.4 Definitions 156 8.2 The Design FMECA (D¿FMECA) 156 8.3 How Are Single Point Failures Eliminated or Avoided in the Design? 158 8.4 Software Design FMECA 165 8.5 What Is a PFMECA? 172 8.5.1 What Is the Difference Between a Process FMECA and a Design FMECA? 172 8.5.2 Why PFMECAs? 173 8.5.3 Performing PFMECA, Step by Step 174 8.5.4 Performing PFMECA, Improvement Actions 180 8.5.5 Performing PFMECA and Reporting Results 181 8.6 Conclusion 182 Acknowledgments 182 References 182 Suggestions for Additional Reading 183 9 Fault Tree Analysis for System Safety 185Jack Dixon 9.1 Background 185 9.2 What Is a Fault Tree? 186 9.2.1 Gates and Events 187 9.2.2 Definitions 187 9.3 Methodology 189 9.4 Cut Sets 193 9.5 Quantitative Analysis of Fault Trees 198 9.6 Automated Fault Tree Analysis 199 9.7 Advantages and Disadvantages 200 9.8 Example 200 9.9 Conclusion 207 References 207 Suggestions for Additional Reading 208 10 Complementary Design Analysis Techniques 209Jack Dixon 10.1 Background 209 10.2 Discussion of Less Used Techniques 210 10.2.1 Event Tree Analysis 210 10.2.2 Sneak Circuit Analysis 213 10.2.3 Functional Hazard Analysis 217 10.2.4 Barrier Analysis 220 10.2.5 Bent Pin Analysis 222 10.3 Other Analysis Techniques 224 10.3.1 Petri Nets 225 10.3.2 Markov Analysis 225 10.3.3 Management Oversight Risk Tree (MORT) 226 10.3.4 System¿Theoretic Process Analysis 228 References 230 Suggestions for Additional Reading 230 11 Process Safety Management and Analysis 231Jack Dixon 11.1 Background 231 11.2 Elements of Process Safety Management 232 11.3 Process Hazard Analyses 236 11.3.1 What¿If Analysis 238 11.3.2 Checklist 239 11.3.3 What¿If/Checklist Analysis 239 11.3.4 Hazard and Operability Study 239 11.3.5 Failure Modes and Effects Analysis 241 11.3.6 Fault Tree Analysis 241 11.3.7 Equivalent Methodologies 242 11.4 Other Related Regulations 242 11.4.1 US Legislation 242 [...]opean Directives 244 11.5 Inherently Safer Design 244 11.6 Summary 247 References 247 Suggestions for Additional Reading 248 12 System Safety Testing 249Louis J. Gullo 12.1 Purpose of System Safety Testing 249 12.1.1 Types of System Safety Tests 250 12.2 Test Strategy and Test Architecture 252 12.3 Develop System Safety Test Plans 256 12.4 Regulatory Compliance Testing 259 12.5 The Value of PHM for System Safety Testing 265 12.5.1 Return on Investment (ROI) from PHM 266 12.5.2 Insensitive Munitions 268 12.5.3 Introduction to PHM 269 12.6 Leveraging Reliability Test Approaches for Safety Testing 271 12.7 Safety Test Data Collection 273 12.8 Test Results and What to Do with the Results 276 12.8.1 What to Do with the Test Results? 276 12.8.2 What Happens If the Test Fails? 276 12.9 Design for Testability 277 12.10 Test Modeling 277 12.11 Summary 278 References 278 13 Integrating Safety with Other Functional Disciplines 281Louis J. Gullo 13.1 Introduction 281 13.1.1 Key Interfaces for Systems Safety Engineering 282 13.1.2 Cross¿Functional Team 283 13.1.3 Constant Communication 285 13.1.4 Digital World 285 13.1.5 Friend or Foe 286 13.2 Raytheon's Code of Conduct 288 13.3 Effective Use of the Paradigms for Design for Safety 290 13.4 How to Influence People 293 13.5 Practice Emotional Intelligence 295 13.6 Practice Positive Deviance to Influence People 299 13.7 Practice "Pay It Forward" 301 13.8 Interfaces with Customers 303 13.9 Interfaces with Suppliers 304 13.10 Five Hats for Multi¿Disciplined Engineers (A Path Forward) 304 13.11 Conclusions 306 References 306 14 Design for Reliability Integrated with System Safety 307Louis J. Gullo 14.1 Introduction 307 14.2 What Is Reliability? 308 14.3 System Safety Design with Reliability Data 312 14.4 How Is Reliability Data Translated to Probability of Occurrence? 316 14.5 Verification of Design for Safety Including Reliability Results 322 14.6 Examples of Design for Safety with Reliability Data 323 14.7 Conclusions 327 Acknowledgment 328 References 328 15 Design for Human Factors Integrated with System Safety 329Jack Dixon and Louis J. Gullo 15.1 Introduction 329 15.2 Human Factors Engineering 331 15.3 Human¿Centered Design 331 15.4 Role of Human Factors in Design 332 15.4.1 Hardware 332 15.4.2 Software 334 15.4.3 Human-Machine Interface 336 15.4.4 Manpower Requirements 336 15.4.5 Workload 337 15.4.6 Personnel Selection and Training 337 15.5 Human Factors Analysis Process 337 15.5.1 Purpose of Human Factors Analysis 337 15.5.2 Methods of Human Factors Analysis 338 15.6 Human Factors and Risk 338 15.6.1 Risk¿Based Approach to Human Systems Integration 338 15.6.2 Human Error 344 15.6.3 Types of Human Error 345 15.6.4 Mitigation of Human Error 346 15.6.5 Design for Error Tolerance 347 15.7 Checklists 347 15.8 Testing to Validate Human Factors in Design 350 Acknowledgment 350 References 350 Suggestions for Additional Reading 351 16 Software Safety and Security 353Louis J. Gullo 16.1 Introduction 353 16.2 Definitions of...