SlideShare una empresa de Scribd logo

Dezfuli.h

Descargar como PPTX, PDF
N
NASAPMC
EmpresarialesTecnología
1 de 31
A ―Systems/Case-based‖ Approach to System Safety Presented at NASA Project Management Challenge 2012 February 22-23, 2012 Homayoon Dezfuli, Ph.D. NASA Technical Fellow for System Safety Office of Safety and Mission assurance (OSMA) NASA Headquarters
Introduction • We have developed a System Safety Framework under which system safety activities are conducted and communicated • The three elements of the framework are: – Safety objectives – System safety activities – Risk-Informed Safety Case (RISC) • Guidance on the System Safety Framework is contained in the NASA System Safety Handbook – Volume 1: System Safety Framework and Concepts for Implementation (NASA/SP-2010- 580) • Volume 1 will be followed by Volume 2 on methods Presented by Homayoon Dezfuli 2
Motivation • Development of the System Safety Framework is motivated by a desire to: – Foster a systems view of safety (i.e., a holistic, systems engineering view of safety) – Improve integration and effectiveness of system safety activities – Establish a process for defining ―adequate safety‖ – Establish a means for presenting a coherent case for the safety of the system to decision makers – Establish a process that is compatible with the growing trend toward insight/oversight relationships with commercial providers Presented by Homayoon Dezfuli 3
Safety Objectives 4
What is Safety? “Safety is freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment” NPR 8715.3 • The specific scope of safety is application-specific, and must be clearly defined by the stakeholders in terms of the entities to which it applies and the consequences against which it is assessed • The degree of safety that is considered acceptable is also application-specific – We strive to attain a degree of safety that fulfills obligations to the at-risk communities and addresses agency priorities – We do not expect to attain absolute safety (nor consider it possible to do so) Presented by Homayoon Dezfuli 5
Adequate Safety • Achieving an adequately safe system requires adherence to the following fundamental safety principles: – The system meets or exceeds a minimum tolerable level of safety. Below this level the system is considered unsafe – The system is as safe as reasonably practicable (ASARP) Achieve an adequately safe system Achieve a system that Achieve a system that is meets or exceeds the as safe as reasonably minimum tolerable level practicable (ASARP) of safety Operate the system Design the system to Build the system to Design the system to Build the system to Operate the system to continuously meet meet or exceed the meet or exceed the be as safe as be as safe as to continuously be as or exceed the minimum tolerable minimum tolerable reasonably reasonably safe as reasonably minimum tolerable level of safety level of safety practicable practicable practicable level of safety • The minimum tolerable level of safety is not necessarily static, and may evolve over the course of the system life cycle • The principles of adequate safety must be maintained throughout all phases of the system life cycle Presented by Homayoon Dezfuli 6
NASA Safety Thresholds & Goals • NASA‘s minimum level of tolerable safety for human spaceflight missions is articulated in NASA‘s agency-level safety goals and thresholds for crew transportation system missions to the ISS • They reflect a tolerance for an initial safety performance that is acceptable initially but below long-term expectations Presented by Homayoon Dezfuli 7
NASA Safety Thresholds and Goals: Accounting for the Unknowns “ There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. ” — Former United States Secretary of Defense Donald Rumsfeld, 2002 • Meeting quantitative safety requirements means more than simply showing that the known-known risks do not exceed the applicable goal or threshold • We must also be able to show that: – The known-unknowns (risks that have been identified but are not quantifiable) and the unknown-unknowns (risks that exist but have not been identified) are bounded – The bounds of the unknowns do not threaten the quantitative safety requirements • Methods for doing this include: – Reliability growth analyses of US vehicles and other countries‘ vehicles – Analyses of historical precursors and anomalies Presented by Homayoon Dezfuli 8
As Safe As Reasonably Practicable (ASARP) “ASARP entails weighing the safety performance of a system against the sacrifice needed to further improve it. A system is ASARP if an incremental improvement in safety would require a disproportionate deterioration of system performance in other areas.” From SS Handbook • The ASARP concept is closely related to the ―as low as reasonably achievable‖ (ALARA) and ―as low as reasonably practicable‖ (ALARP) concepts that are found in U.S. nuclear applications and U.K. Health and Safety law • ASARP implies that: – A comprehensive spectrum of alternative means for achieving operational objectives has been identified – The performance of each alternative has been analyzed to determine the relative gains and losses in performance (operational effectiveness, safety, cost, and schedule) that would result from selecting one alternative over another – Safety performance is given priority in the selection of an alternative, insofar as the selection is within operational constraints Presented by Homayoon Dezfuli 9
ASARP (Cont.) • The ASARP region contains those alternatives whose safety performance is as high as can be achieved without resulting in intolerable performance in one or more of the other mission execution domains – ASARP is a region of the trade space and can contain more than one specific alternative – The ASARP concept makes no explicit reference to the absolute value of a system‘s safety performance – Improvements to cost, schedule, or technical performance beyond minimum tolerable levels are not justifiable if they come at the expense of safety performance Presented by Homayoon Dezfuli 10
Deriving Operational Safety Objectives • The fundamental safety principles set the stage for the further development of safety objectives, negotiated on an application-specific basis • Safety objectives are developed using an objectives hierarchy down to a level where they can be clearly addressed by systems safety activities, thereby creating a link that: – Assures that system safety activities are directed towards accomplishing defined safety objectives – Enables the system safety activities to be assessed in terms of the degree to which their target safety objectives have been met • The safety objectives at the bottom level of the objectives hierarchy represent the operational definition of safety for the system under consideration, and are referred to as operational safety objectives Presented by Homayoon Dezfuli 11
System Safety Objectives Hierarchy Presented by Homayoon Dezfuli 12
System Safety Activities 13
System Safety Activities as a Part of the System Safety Framework • System safety activities are conducted as part of the overall systems engineering technical process activities • System safety activities are designed to promote the development of safe systems and to provide evidence to help demonstrate through the Risk-Informed Safety Case (discussed later) that the stated system safety objectives have been achieved System Safety Objectives (define safety) RISC Evaluation Risk-Informed Safety Case (demonstrate safety) (confirm safety) System Safety Activities (achieve safety) Presented by Homayoon Dezfuli 14
System Safety Activities – Early Design 1. Initial constraints focus on applicable safety requirements, design alternatives, operational constraints, and risk tolerances 2. The RIDM process provides models and results to evaluate trade-offs in the search for a final design that is ASARP 3. ISAs (integration of hazard analysis, physical response 7. Inform analysis, and probabilistic 8. Allocate 6. Initialize analysis) provide input needed to demonstrate the system meets quantitative safety requirements 2. Conduct RIDM 4. Under the ASARP objective, trade 1. Set Initial Constraints 5. Select Design studies are performed to examine how variations (e.g., in design) affect not only safety but also the other mission execution domains 3. ISAs 4. Trades Note: Interfaces are shown in some cases by nesting rather than by arrows. The nesting format automatically implies an arrow from the smaller activities within the nest to the larger activity surrounding it. Presented by Homayoon Dezfuli 15
System Safety Activities – Early Design (Cont.) 5. The process of down-selecting from the design alternatives to one particular design concept is conducted through a risk- informed deliberation by the decision makers 6. The initialization role of CRM is to complete the risk modeling started during RIDM to include all hazards and associated scenarios that affect the risks 7. Informed compliance with requirements that have been 8. Allocate 7. Inform 6. Initialize developed historically and are recognized as best practices in their engineering disciplines tend to provide protection against 2. Conduct RIDM 1. Set Initial Constraints 5. Select Design known unknowns and unknown unknowns 8. The process for determining lower level performance requirements involves a risk- 3. ISAs 4. Trades informed allocation of requirements from system to sub- system level Presented by Homayoon Dezfuli 16
System Safety Activities – Detailed Design Design a safe system during detailed design Safety Detailed Design 1. During detailed design, the role of Objectives CRM evolves to Design the system to Design the system to be as safe as reasonably include the meet or exceed the practicable minimum tolerable development and level of safety implementation of new controls when Maintain Minimize the Be responsive Comply with needed to allocation of Risk-inform to new introduction of levied requirements design potentially counteract any new information requirements consistent with solution adverse during system that affect achievable safety decisions conditions during or changed risks performance design system design safety 2. Program controls and commitments include RISC Evaluation RISC management Confirms Safety activities to (within Systems Engineering) promote an System Safety Activities environment within 1. Conduct CRM (analytic deliberative process) Conduct CRM (analytic deliberative process) 2. Program control & commitments Program control and commitments Also conduct RIDM ififmajor re-planningis needed Also conduct RIDM major re-planning is needed which design Implement opportunities for Maintain risk analysis of system communication performance Management Conduct improving safety Conduct Control proactively protocols, verification research configuration without incurring Maintain Maintain other and identified seeks net- management, and validation mission exe- individual beneficial that safety unreasonable cost, integrated testing design best cution domain risks safety requirements safety programs practices, schedule, and analysis performance improvements lessons are being met models technical impacts learned, etc. are sought out and implemented Presented by Homayoon Dezfuli 17
Risk-Informed Safety Case 18
Risk-Informed Safety Case (RISC) • The risk-informed safety case (RISC) is the means by which the satisfaction of the system‘s safety objectives is demonstrated and communicated to decision makers at major milestones such as Key Decision Points (KDPs) • The RISC presents decision makers with a coherent case for safety, rather than presenting them with a set of individual safety analysis and safety management products Presented by Homayoon Dezfuli 19
Risk-Informed Safety Case (RISC) (cont.) “A risk-informed safety case (RISC) is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is or will be adequately safe for a given application in a given environment. This is accomplished by addressing each of the operational safety objectives that have been negotiated for the system, including articulation of the roadmap for the achievement of safety objectives that are applicable to later phases of the system life cycle.” From NASA/SP-2010-580 (SS Handbook) • The term ‗risk-informed‘ is used to emphasize that adequate safety is the result of a deliberative decision making process that involves an assessment of risks, and strives for a proper balance between safety performance and performance in other mission execution domains Presented by Homayoon Dezfuli 20
Risk-Informed Safety Case (RISC) (cont.) • The elements of the RISC are: – An explicit set of safety claims about the system(s), for example, the probability of an accident or a group of accidents is lower than a specified value and/or as low as reasonably practicable – Supporting evidence for the claim, for example, representative operating history, redundancy in design, or results of analysis – Structured safety arguments that link claims to evidence and that use logically valid rules of inference • RISCs produced by lower-level organizational units (e.g., sub- system-level units) can be used as sub-claims of the RISC at the next higher level of the NASA hierarchy Presented by Homayoon Dezfuli 21
RISC Life Cycle Considerations • The RISC addresses the full system life cycle, regardless of the particular point in the life cycle at which the RISC is developed. This results in two types of safety claims: – Claims related to the safety objectives of the current or previous phases argue that the objectives have been met – Claims related to the safety objectives of future phases argue that necessary planning and preparation have been conducted, and that commitments are in place to satisfy the objectives at the appropriate time Presented by Homayoon Dezfuli 22
Example RISC Safety Claims Derived from Safety Objectives • The claims made (and defended) by the RISC dovetail with the safety objectives negotiated at the outset of system formulation • RISC Design Claims Derived from Design Objectives: The system design is adequately safe The system design The system design is meets or exceeds as safe as the minimum reasonably tolerable level of practicable (ASARP) safety Appropriate historically-informed defenses against Requirements have Design solution been allocated unknown and un- decisions have been consistent with quantified safety achievable safety risk informed hazards have been performance incorporated into the design Presented by Homayoon Dezfuli 23
Example RISC Structure The system design meets or exceeds the minimum tolerable level of safety • Claim: The system design meets or exceeds the An ISA has been properly The ISA shows that the conducted design solution meets the minimum tolerable level of allocated safety goal/ threshold requirements. safety The design solution has The ISA methods used are Unknown and un- been sufficiently well appropriate to the level of quantified safety hazards developed to support the design solution definition do not significantly impact ISA and the decision context safety performance Design solution elements:: ISA methods: The design is robust The design minimizes the ConOps Identify hazards against identified but un- potential for vulnerability to DRMs comprehensively quantified hazards unknown hazards Operating Characterize initiating environments events and system System schematics control responses Design drawings probabilistically The design incorporates: The design incorporates: ... Quantify events Historically-informed Minimal complexity consistent with margins against Appropriate TRL physics and available comparable stresses items data Appropriate Proven solutions to ... redundancies the extent possible Appropriate materials Appropriate for intended use inspection and Appropriate maintenance The ISA analysts are fully inspection and accesses qualified to conduct the maintenance ... ISA accesses ... Adjusted/waived requirements, standards, best practices do not significantly increase vulnerabilities to unknown/ unquantified hazards Presented by Homayoon Dezfuli 24
Example RISC Structure (cont.) • Claim: Design solution Design solution decisions are risk informed decisions are risk informed RIDM has been conducted The tailored set of to select the design that requirements, standards, maximizes safety without and best practices to excessive performance which the design complies penalties in other mission supports a design solution execution domains that is as safe as reasonably practicable Stakeholder objectives are The RIDM methods used understood and are appropriate to the life The set of applicable There is an appropriate requirements (or imposed cycle phase and the requirements, standards, analytical basis for all constraints) have been decision context and best practices was adjustments/waivers to allocated from the level comprehensively identified requirements, standards, above and best practices RIDM methods: Identify alternatives Analyze the risks associated with each Adjusted/waived alternative requirements, standards, Support the risk- best practices: informed, deliberative Improve the balance selection of a design between analyzed alternative performance measures Preserve safety performance as a priority The RIDM analysts are Do not significantly fully qualified to conduct increase RIDM vulnerabilities to unknown/ unquantified hazards Presented by Homayoon Dezfuli 25
Example RISC Structure (cont.) • Claim: Appropriate historically- informed defenses against Appropriate historically-informed defenses against unknown and unknown and un-quantified safety un-quantified safety hazards are incorporated into the design hazards are incorporated into the design The design is robust The design minimizes the • against identified but un- potential for vulnerability to Claim: Requirements are allocated quantified hazards unknown hazards consistent with achievable safety The design incorporates: The design incorporates: performance Historically-informed Minimal complexity margins against Appropriate TRL comparable stresses items Appropriate Proven solutions to redundancies the extent possible Appropriate materials Appropriate for intended use inspection and Allocated requirements Appropriate maintenance are consistent with inspection and accesses achievable safety maintenance ... performance accesses ... Performance requirements Allocated requirements are consistent with the have been negotiated Adjusted/waived performance commitments between the requirements requirements, standards, developed during RIDM owner and the best practices do not organization responsible significantly increase for meeting the vulnerabilities to unknown/ requirements unquantified hazards Presented by Homayoon Dezfuli 26
Independent Evaluation of the RISC • It is good practice for an evaluator to have one or more checklists for determining whether the evidence is sufficient to support a claim • The checklist should be organized independently from the RISC and should tend to be generically applicable rather than application specific EVALUATION BY ANALYSIS TYPE ANALYSIS ATTRIBUTE Physical Hazards Individual Aggregate Risk Risk Responses Risks Risks Drivers Allocations Important issues are identified and evaluated Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Models are graded according to the importance of the issue Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Tests support models and analysis of important issues Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Best available models are used for all risk significant issues Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Etc. PROGRAMMATIC CONTROL EVALUATION Plans related to programmatic controls are comprehensively and clearly documented. Grade: Comment: Management will actively promote an environment within which design opportunities for improving safety Grade: without incurring unreasonable cost, schedule, and technical impacts are sought out and implemented Comment: during each phase. Protocols are in place that will promote effective and timely communication among design teams from Grade: different organizations working on different parts of the system. Comment: Etc. Presented by Homayoon Dezfuli 27
Putting It All Together Presented by Homayoon Dezfuli 28
Challenges Ahead • Organizational challenges – Integrating system safety personnel/activities more closely with systems engineering, operations management, and risk management • Analytical challenges – Integrating/refining existing analysis activities to support the development of an integrated safety analysis (ISA) – Meaningful accounting for unknown and under-evaluated risks in determining whether safety thresholds and goals have been achieved • Procedural and regulatory challenges – Development of standards and practices for formulating and evaluating risk informed safety cases (RISCs) – Development of guidelines for excising unnecessary requirements while maintaining safety beneficial requirements Presented by Homayoon Dezfuli 29
Backup Slides 30
Independent Evaluation of the RISC • A flowdown checklist for evaluating the RISC has the advantage of explicitly showing how arguments based on evidence support claims. 1.0 TOP-LEVEL CLAIM Safety Performance Measures This flow-down checklist examines ―how safe‖ the system is (or will be),* how well it is demonstrated, and what is being done to make sure Safety Performance Requirements that the top-level safety claim is true (or remains true).* This is the technical basis for the claim: (including Goal and Threshold) Evidence, including operating experience, testing, associated engineering analysis, and a comprehensive, integrated design and safety Engineering Requirements analysis (IDSA), including scenario modeling using Probabilistic Safety Analysis (PSA) Process Requirements A credible set of performance commitments, deterministic requirements, and implementation measures. * The nature and specificity of the claim, and the character of the underlying evidence, depend on the life cycle phase at which the safety case is being applied. The results of analysis have been clearly presented, conditional on an The design intent is characterized in terms of It has been successfully demonstrated The implementation aspects needed to explicitly characterized baseline allocation of levels of performance, design reference missions, CONOPS, and that no further improvements to the achieve the level of safety claimed is risk-informed requirements, and operating experience. An effective deterministic requirements to be satisfied. The design or operations are currently net- correctly understood, and the process for identifying departures from this baseline and/or design itself is characterized at a level of detail beneficial (as safe as reasonably necessary measures have been addressing future emergent issues that are not addressed by this appropriate to the current life cycle phase. practicable). committed to. baseline has been developed. 1.1 1.2 1.3 1.4 An effective process for The design for the current life Analyses performed provide the An effective process has been addressing unresolved and The design and mission intent cycle phase (including following results: carried out to identify significant It has been confirmed that allocated non-quantified safety issues safety improvements, but no is well charctterized.* requirements and controls) is Aggregate risk results (issues invalidating the performance is feasible well specified.* Dominant accident scenarios candidate measures have been baseline case) has been identified 1.1.1 1.1.2 Comparison with threshold/ formuulated. 1.4.1 1.2.2 1.3.1 goal Established baseline for An effective process has been A reasonable defense developed for monitoring and precursor analysis It has been demonstrated that further against unknown safety assuring ongoing satisfaction of ….. issues is included in the improvements in safety would allocated performance levels, and design and controls unacceptably affect schedule 1.2.1 there are commitments to implement Concept of Operation What is credited is reasonable these measures Design Reference and justifiable 1.2.2.1 1.3.2 1.4.2 Missions Operation Environments 1.1.2.1 Historically Informed In addition to reviewing existing information sources and A reasonable attempt has been It has been demonstrated that further Elements operating experience, the best processes known for identifying improvements in safety would incur made to identify and prioritize all The nominal performance and previously unrecognized safety hazards has been applied. significant risks in the risk 1.1.1.1 dynamic responses in design excessive performance penalties management program reference phases are well 1.2.1.1 1.3.3 1.4.3 understood and justified 1.1.2.2 The limits of the safety models are recognized, the caliber of evidence used in the models has been evaluated, and uncertainty An effective process has been It has been demonstrated that further developed for evaluating flight and The performance tailoring and and sensitivity analyses have been performed. improvements in safety would incur test experience for the presence of allocation are well understood Completeness issue excessive cost accident precursors and justified Understanding of key phenomenology and assumptions 1.3.4 1.4.4 1.1.2.3 1.2.1.3 Hazard controls, crew survival methods (if applicable), deterministic requirements, and fault protection approaches have been formulated effectively in a risk-informed manner 1.1.2.4 1.2.1.2 Presented by Homayoon Dezfuli 31

Recomendados

Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Sms Guidance Pamphlet
Sms Guidance PamphletSms Guidance Pamphlet
Sms Guidance PamphletGarnerbarro PL
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
SMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management SystemSMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management SystemUniversal Weather and Aviation, Inc.
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 

Recomendados

Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Sms Guidance Pamphlet
Sms Guidance PamphletSms Guidance Pamphlet
Sms Guidance PamphletGarnerbarro PL
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
SMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management SystemSMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management SystemUniversal Weather and Aviation, Inc.
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
Engelbrecht.joe
Engelbrecht.joeEngelbrecht.joe
Engelbrecht.joeNASAPMC
 
Mitchell.robert
Mitchell.robertMitchell.robert
Mitchell.robertNASAPMC
 
Art c
Art cArt c
Art cNASAPMC
 
Frost.jim
Frost.jimFrost.jim
Frost.jimNASAPMC
 
Eric.druker
Eric.drukerEric.druker
Eric.drukerNASAPMC
 
Borchardt.heidemarie
Borchardt.heidemarieBorchardt.heidemarie
Borchardt.heidemarieNASAPMC
 
Dezfuli.homayoon
Dezfuli.homayoonDezfuli.homayoon
Dezfuli.homayoonNASAPMC
 
Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Ian Sommerville
 
SIL.ppt
SIL.pptSIL.ppt
SIL.pptKrishna Yadav
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_securityehawk01
 
NCCDC 2019 Standards Presentation.pptx
NCCDC 2019 Standards Presentation.pptxNCCDC 2019 Standards Presentation.pptx
NCCDC 2019 Standards Presentation.pptxJeffThompson991132
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec SysMicheal Isreal
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Don Kim
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Ch01
Ch01Ch01
Ch01n C
 
BLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityBLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityMajor K. Subramaniam Kmaravehlu
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaibleNASAPMC
 
Review 1 부분4
Review 1 부분4Review 1 부분4
Review 1 부분4희범 구
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 

Más contenido relacionado

Destacado

Engelbrecht.joe
Engelbrecht.joeEngelbrecht.joe
Engelbrecht.joeNASAPMC
 
Mitchell.robert
Mitchell.robertMitchell.robert
Mitchell.robertNASAPMC
 
Frost.jim
Frost.jimFrost.jim
Frost.jimNASAPMC
 
Eric.druker
Eric.drukerEric.druker
Eric.drukerNASAPMC
 
Borchardt.heidemarie
Borchardt.heidemarieBorchardt.heidemarie
Borchardt.heidemarieNASAPMC
 

Destacado (6)

Engelbrecht.joe
Engelbrecht.joeEngelbrecht.joe
Engelbrecht.joe
 
Mitchell.robert
Mitchell.robertMitchell.robert
Mitchell.robert
 
Art c
Art cArt c
Art c
 
Frost.jim
Frost.jimFrost.jim
Frost.jim
 
Eric.druker
Eric.drukerEric.druker
Eric.druker
 
Borchardt.heidemarie
Borchardt.heidemarieBorchardt.heidemarie
Borchardt.heidemarie
 

Similar a Dezfuli.h

Dezfuli.homayoon
Dezfuli.homayoonDezfuli.homayoon
Dezfuli.homayoonNASAPMC
 
Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Ian Sommerville
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_securityehawk01
 
NCCDC 2019 Standards Presentation.pptx
NCCDC 2019 Standards Presentation.pptxNCCDC 2019 Standards Presentation.pptx
NCCDC 2019 Standards Presentation.pptxJeffThompson991132
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec SysMicheal Isreal
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Don Kim
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Ch01
Ch01Ch01
Ch01n C
 
BLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityBLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityMajor K. Subramaniam Kmaravehlu
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaibleNASAPMC
 
Review 1 부분4
Review 1 부분4Review 1 부분4
Review 1 부분4희범 구
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
CCNA Security - Chapter 9
CCNA Security - Chapter 9CCNA Security - Chapter 9
CCNA Security - Chapter 9Irsandi Hasan
 
Information security - 360 Degree Approach
Information security - 360 Degree ApproachInformation security - 360 Degree Approach
Information security - 360 Degree Approachharsh arora
 

Similar a Dezfuli.h (20)

Dezfuli.homayoon
Dezfuli.homayoonDezfuli.homayoon
Dezfuli.homayoon
 
Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Security testing (CS 5032 2012)
Security testing (CS 5032 2012)
 
SIL.ppt
SIL.pptSIL.ppt
SIL.ppt
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_security
 
NCCDC 2019 Standards Presentation.pptx
NCCDC 2019 Standards Presentation.pptxNCCDC 2019 Standards Presentation.pptx
NCCDC 2019 Standards Presentation.pptx
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
Ch01
Ch01Ch01
Ch01
 
BLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityBLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical Security
 
Dawn.schaible
Dawn.schaibleDawn.schaible
Dawn.schaible
 
Review 1 부분4
Review 1 부분4Review 1 부분4
Review 1 부분4
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Security assessment
Security assessmentSecurity assessment
Security assessment
 
CCNA Security - Chapter 9
CCNA Security - Chapter 9CCNA Security - Chapter 9
CCNA Security - Chapter 9
 
Information security - 360 Degree Approach
Information security - 360 Degree ApproachInformation security - 360 Degree Approach
Information security - 360 Degree Approach
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 

Más de NASAPMC

Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk boNASAPMC
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski johnNASAPMC
 
Yew manson
Yew mansonYew manson
Yew mansonNASAPMC
 
Wood frank
Wood frankWood frank
Wood frankNASAPMC
 
Wood frank
Wood frankWood frank
Wood frankNASAPMC
 
Wessen randi (cd)
Wessen randi (cd)Wessen randi (cd)
Wessen randi (cd)NASAPMC
 
Vellinga joe
Vellinga joeVellinga joe
Vellinga joeNASAPMC
 
Trahan stuart
Trahan stuartTrahan stuart
Trahan stuartNASAPMC
 
Stock gahm
Stock gahmStock gahm
Stock gahmNASAPMC
 
Snow lee
Snow leeSnow lee
Snow leeNASAPMC
 
Smalley sandra
Smalley sandraSmalley sandra
Smalley sandraNASAPMC
 
Seftas krage
Seftas krageSeftas krage
Seftas krageNASAPMC
 
Sampietro marco
Sampietro marcoSampietro marco
Sampietro marcoNASAPMC
 
Rudolphi mike
Rudolphi mikeRudolphi mike
Rudolphi mikeNASAPMC
 
Roberts karlene
Roberts karleneRoberts karlene
Roberts karleneNASAPMC
 
Rackley mike
Rackley mikeRackley mike
Rackley mikeNASAPMC
 
Paradis william
Paradis williamParadis william
Paradis williamNASAPMC
 
Osterkamp jeff
Osterkamp jeffOsterkamp jeff
Osterkamp jeffNASAPMC
 
O'keefe william
O'keefe williamO'keefe william
O'keefe williamNASAPMC
 
Muller ralf
Muller ralfMuller ralf
Muller ralfNASAPMC
 

Más de NASAPMC (20)

Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk bo
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski john
 
Yew manson
Yew mansonYew manson
Yew manson
 
Wood frank
Wood frankWood frank
Wood frank
 
Wood frank
Wood frankWood frank
Wood frank
 
Wessen randi (cd)
Wessen randi (cd)Wessen randi (cd)
Wessen randi (cd)
 
Vellinga joe
Vellinga joeVellinga joe
Vellinga joe
 
Trahan stuart
Trahan stuartTrahan stuart
Trahan stuart
 
Stock gahm
Stock gahmStock gahm
Stock gahm
 
Snow lee
Snow leeSnow lee
Snow lee
 
Smalley sandra
Smalley sandraSmalley sandra
Smalley sandra
 
Seftas krage
Seftas krageSeftas krage
Seftas krage
 
Sampietro marco
Sampietro marcoSampietro marco
Sampietro marco
 
Rudolphi mike
Rudolphi mikeRudolphi mike
Rudolphi mike
 
Roberts karlene
Roberts karleneRoberts karlene
Roberts karlene
 
Rackley mike
Rackley mikeRackley mike
Rackley mike
 
Paradis william
Paradis williamParadis william
Paradis william
 
Osterkamp jeff
Osterkamp jeffOsterkamp jeff
Osterkamp jeff
 
O'keefe william
O'keefe williamO'keefe william
O'keefe william
 
Muller ralf
Muller ralfMuller ralf
Muller ralf
 

Último

1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsGOKUL JS
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
WSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfWSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfJamesConcepcion7
 

Último (20)

1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebs
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
WSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfWSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdf
 

Dezfuli.h

  • 1. A ―Systems/Case-based‖ Approach to System Safety Presented at NASA Project Management Challenge 2012 February 22-23, 2012 Homayoon Dezfuli, Ph.D. NASA Technical Fellow for System Safety Office of Safety and Mission assurance (OSMA) NASA Headquarters
  • 2. Introduction • We have developed a System Safety Framework under which system safety activities are conducted and communicated • The three elements of the framework are: – Safety objectives – System safety activities – Risk-Informed Safety Case (RISC) • Guidance on the System Safety Framework is contained in the NASA System Safety Handbook – Volume 1: System Safety Framework and Concepts for Implementation (NASA/SP-2010- 580) • Volume 1 will be followed by Volume 2 on methods Presented by Homayoon Dezfuli 2
  • 3. Motivation • Development of the System Safety Framework is motivated by a desire to: – Foster a systems view of safety (i.e., a holistic, systems engineering view of safety) – Improve integration and effectiveness of system safety activities – Establish a process for defining ―adequate safety‖ – Establish a means for presenting a coherent case for the safety of the system to decision makers – Establish a process that is compatible with the growing trend toward insight/oversight relationships with commercial providers Presented by Homayoon Dezfuli 3
  • 5. What is Safety? “Safety is freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment” NPR 8715.3 • The specific scope of safety is application-specific, and must be clearly defined by the stakeholders in terms of the entities to which it applies and the consequences against which it is assessed • The degree of safety that is considered acceptable is also application-specific – We strive to attain a degree of safety that fulfills obligations to the at-risk communities and addresses agency priorities – We do not expect to attain absolute safety (nor consider it possible to do so) Presented by Homayoon Dezfuli 5
  • 6. Adequate Safety • Achieving an adequately safe system requires adherence to the following fundamental safety principles: – The system meets or exceeds a minimum tolerable level of safety. Below this level the system is considered unsafe – The system is as safe as reasonably practicable (ASARP) Achieve an adequately safe system Achieve a system that Achieve a system that is meets or exceeds the as safe as reasonably minimum tolerable level practicable (ASARP) of safety Operate the system Design the system to Build the system to Design the system to Build the system to Operate the system to continuously meet meet or exceed the meet or exceed the be as safe as be as safe as to continuously be as or exceed the minimum tolerable minimum tolerable reasonably reasonably safe as reasonably minimum tolerable level of safety level of safety practicable practicable practicable level of safety • The minimum tolerable level of safety is not necessarily static, and may evolve over the course of the system life cycle • The principles of adequate safety must be maintained throughout all phases of the system life cycle Presented by Homayoon Dezfuli 6
  • 7. NASA Safety Thresholds & Goals • NASA‘s minimum level of tolerable safety for human spaceflight missions is articulated in NASA‘s agency-level safety goals and thresholds for crew transportation system missions to the ISS • They reflect a tolerance for an initial safety performance that is acceptable initially but below long-term expectations Presented by Homayoon Dezfuli 7
  • 8. NASA Safety Thresholds and Goals: Accounting for the Unknowns “ There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. ” — Former United States Secretary of Defense Donald Rumsfeld, 2002 • Meeting quantitative safety requirements means more than simply showing that the known-known risks do not exceed the applicable goal or threshold • We must also be able to show that: – The known-unknowns (risks that have been identified but are not quantifiable) and the unknown-unknowns (risks that exist but have not been identified) are bounded – The bounds of the unknowns do not threaten the quantitative safety requirements • Methods for doing this include: – Reliability growth analyses of US vehicles and other countries‘ vehicles – Analyses of historical precursors and anomalies Presented by Homayoon Dezfuli 8
  • 9. As Safe As Reasonably Practicable (ASARP) “ASARP entails weighing the safety performance of a system against the sacrifice needed to further improve it. A system is ASARP if an incremental improvement in safety would require a disproportionate deterioration of system performance in other areas.” From SS Handbook • The ASARP concept is closely related to the ―as low as reasonably achievable‖ (ALARA) and ―as low as reasonably practicable‖ (ALARP) concepts that are found in U.S. nuclear applications and U.K. Health and Safety law • ASARP implies that: – A comprehensive spectrum of alternative means for achieving operational objectives has been identified – The performance of each alternative has been analyzed to determine the relative gains and losses in performance (operational effectiveness, safety, cost, and schedule) that would result from selecting one alternative over another – Safety performance is given priority in the selection of an alternative, insofar as the selection is within operational constraints Presented by Homayoon Dezfuli 9
  • 10. ASARP (Cont.) • The ASARP region contains those alternatives whose safety performance is as high as can be achieved without resulting in intolerable performance in one or more of the other mission execution domains – ASARP is a region of the trade space and can contain more than one specific alternative – The ASARP concept makes no explicit reference to the absolute value of a system‘s safety performance – Improvements to cost, schedule, or technical performance beyond minimum tolerable levels are not justifiable if they come at the expense of safety performance Presented by Homayoon Dezfuli 10
  • 11. Deriving Operational Safety Objectives • The fundamental safety principles set the stage for the further development of safety objectives, negotiated on an application-specific basis • Safety objectives are developed using an objectives hierarchy down to a level where they can be clearly addressed by systems safety activities, thereby creating a link that: – Assures that system safety activities are directed towards accomplishing defined safety objectives – Enables the system safety activities to be assessed in terms of the degree to which their target safety objectives have been met • The safety objectives at the bottom level of the objectives hierarchy represent the operational definition of safety for the system under consideration, and are referred to as operational safety objectives Presented by Homayoon Dezfuli 11
  • 12. System Safety Objectives Hierarchy Presented by Homayoon Dezfuli 12
  • 14. System Safety Activities as a Part of the System Safety Framework • System safety activities are conducted as part of the overall systems engineering technical process activities • System safety activities are designed to promote the development of safe systems and to provide evidence to help demonstrate through the Risk-Informed Safety Case (discussed later) that the stated system safety objectives have been achieved System Safety Objectives (define safety) RISC Evaluation Risk-Informed Safety Case (demonstrate safety) (confirm safety) System Safety Activities (achieve safety) Presented by Homayoon Dezfuli 14
  • 15. System Safety Activities – Early Design 1. Initial constraints focus on applicable safety requirements, design alternatives, operational constraints, and risk tolerances 2. The RIDM process provides models and results to evaluate trade-offs in the search for a final design that is ASARP 3. ISAs (integration of hazard analysis, physical response 7. Inform analysis, and probabilistic 8. Allocate 6. Initialize analysis) provide input needed to demonstrate the system meets quantitative safety requirements 2. Conduct RIDM 4. Under the ASARP objective, trade 1. Set Initial Constraints 5. Select Design studies are performed to examine how variations (e.g., in design) affect not only safety but also the other mission execution domains 3. ISAs 4. Trades Note: Interfaces are shown in some cases by nesting rather than by arrows. The nesting format automatically implies an arrow from the smaller activities within the nest to the larger activity surrounding it. Presented by Homayoon Dezfuli 15
  • 16. System Safety Activities – Early Design (Cont.) 5. The process of down-selecting from the design alternatives to one particular design concept is conducted through a risk- informed deliberation by the decision makers 6. The initialization role of CRM is to complete the risk modeling started during RIDM to include all hazards and associated scenarios that affect the risks 7. Informed compliance with requirements that have been 8. Allocate 7. Inform 6. Initialize developed historically and are recognized as best practices in their engineering disciplines tend to provide protection against 2. Conduct RIDM 1. Set Initial Constraints 5. Select Design known unknowns and unknown unknowns 8. The process for determining lower level performance requirements involves a risk- 3. ISAs 4. Trades informed allocation of requirements from system to sub- system level Presented by Homayoon Dezfuli 16
  • 17. System Safety Activities – Detailed Design Design a safe system during detailed design Safety Detailed Design 1. During detailed design, the role of Objectives CRM evolves to Design the system to Design the system to be as safe as reasonably include the meet or exceed the practicable minimum tolerable development and level of safety implementation of new controls when Maintain Minimize the Be responsive Comply with needed to allocation of Risk-inform to new introduction of levied requirements design potentially counteract any new information requirements consistent with solution adverse during system that affect achievable safety decisions conditions during or changed risks performance design system design safety 2. Program controls and commitments include RISC Evaluation RISC management Confirms Safety activities to (within Systems Engineering) promote an System Safety Activities environment within 1. Conduct CRM (analytic deliberative process) Conduct CRM (analytic deliberative process) 2. Program control & commitments Program control and commitments Also conduct RIDM ififmajor re-planningis needed Also conduct RIDM major re-planning is needed which design Implement opportunities for Maintain risk analysis of system communication performance Management Conduct improving safety Conduct Control proactively protocols, verification research configuration without incurring Maintain Maintain other and identified seeks net- management, and validation mission exe- individual beneficial that safety unreasonable cost, integrated testing design best cution domain risks safety requirements safety programs practices, schedule, and analysis performance improvements lessons are being met models technical impacts learned, etc. are sought out and implemented Presented by Homayoon Dezfuli 17
  • 19. Risk-Informed Safety Case (RISC) • The risk-informed safety case (RISC) is the means by which the satisfaction of the system‘s safety objectives is demonstrated and communicated to decision makers at major milestones such as Key Decision Points (KDPs) • The RISC presents decision makers with a coherent case for safety, rather than presenting them with a set of individual safety analysis and safety management products Presented by Homayoon Dezfuli 19
  • 20. Risk-Informed Safety Case (RISC) (cont.) “A risk-informed safety case (RISC) is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is or will be adequately safe for a given application in a given environment. This is accomplished by addressing each of the operational safety objectives that have been negotiated for the system, including articulation of the roadmap for the achievement of safety objectives that are applicable to later phases of the system life cycle.” From NASA/SP-2010-580 (SS Handbook) • The term ‗risk-informed‘ is used to emphasize that adequate safety is the result of a deliberative decision making process that involves an assessment of risks, and strives for a proper balance between safety performance and performance in other mission execution domains Presented by Homayoon Dezfuli 20
  • 21. Risk-Informed Safety Case (RISC) (cont.) • The elements of the RISC are: – An explicit set of safety claims about the system(s), for example, the probability of an accident or a group of accidents is lower than a specified value and/or as low as reasonably practicable – Supporting evidence for the claim, for example, representative operating history, redundancy in design, or results of analysis – Structured safety arguments that link claims to evidence and that use logically valid rules of inference • RISCs produced by lower-level organizational units (e.g., sub- system-level units) can be used as sub-claims of the RISC at the next higher level of the NASA hierarchy Presented by Homayoon Dezfuli 21
  • 22. RISC Life Cycle Considerations • The RISC addresses the full system life cycle, regardless of the particular point in the life cycle at which the RISC is developed. This results in two types of safety claims: – Claims related to the safety objectives of the current or previous phases argue that the objectives have been met – Claims related to the safety objectives of future phases argue that necessary planning and preparation have been conducted, and that commitments are in place to satisfy the objectives at the appropriate time Presented by Homayoon Dezfuli 22
  • 23. Example RISC Safety Claims Derived from Safety Objectives • The claims made (and defended) by the RISC dovetail with the safety objectives negotiated at the outset of system formulation • RISC Design Claims Derived from Design Objectives: The system design is adequately safe The system design The system design is meets or exceeds as safe as the minimum reasonably tolerable level of practicable (ASARP) safety Appropriate historically-informed defenses against Requirements have Design solution been allocated unknown and un- decisions have been consistent with quantified safety achievable safety risk informed hazards have been performance incorporated into the design Presented by Homayoon Dezfuli 23
  • 24. Example RISC Structure The system design meets or exceeds the minimum tolerable level of safety • Claim: The system design meets or exceeds the An ISA has been properly The ISA shows that the conducted design solution meets the minimum tolerable level of allocated safety goal/ threshold requirements. safety The design solution has The ISA methods used are Unknown and un- been sufficiently well appropriate to the level of quantified safety hazards developed to support the design solution definition do not significantly impact ISA and the decision context safety performance Design solution elements:: ISA methods: The design is robust The design minimizes the ConOps Identify hazards against identified but un- potential for vulnerability to DRMs comprehensively quantified hazards unknown hazards Operating Characterize initiating environments events and system System schematics control responses Design drawings probabilistically The design incorporates: The design incorporates: ... Quantify events Historically-informed Minimal complexity consistent with margins against Appropriate TRL physics and available comparable stresses items data Appropriate Proven solutions to ... redundancies the extent possible Appropriate materials Appropriate for intended use inspection and Appropriate maintenance The ISA analysts are fully inspection and accesses qualified to conduct the maintenance ... ISA accesses ... Adjusted/waived requirements, standards, best practices do not significantly increase vulnerabilities to unknown/ unquantified hazards Presented by Homayoon Dezfuli 24
  • 25. Example RISC Structure (cont.) • Claim: Design solution Design solution decisions are risk informed decisions are risk informed RIDM has been conducted The tailored set of to select the design that requirements, standards, maximizes safety without and best practices to excessive performance which the design complies penalties in other mission supports a design solution execution domains that is as safe as reasonably practicable Stakeholder objectives are The RIDM methods used understood and are appropriate to the life The set of applicable There is an appropriate requirements (or imposed cycle phase and the requirements, standards, analytical basis for all constraints) have been decision context and best practices was adjustments/waivers to allocated from the level comprehensively identified requirements, standards, above and best practices RIDM methods: Identify alternatives Analyze the risks associated with each Adjusted/waived alternative requirements, standards, Support the risk- best practices: informed, deliberative Improve the balance selection of a design between analyzed alternative performance measures Preserve safety performance as a priority The RIDM analysts are Do not significantly fully qualified to conduct increase RIDM vulnerabilities to unknown/ unquantified hazards Presented by Homayoon Dezfuli 25
  • 26. Example RISC Structure (cont.) • Claim: Appropriate historically- informed defenses against Appropriate historically-informed defenses against unknown and unknown and un-quantified safety un-quantified safety hazards are incorporated into the design hazards are incorporated into the design The design is robust The design minimizes the • against identified but un- potential for vulnerability to Claim: Requirements are allocated quantified hazards unknown hazards consistent with achievable safety The design incorporates: The design incorporates: performance Historically-informed Minimal complexity margins against Appropriate TRL comparable stresses items Appropriate Proven solutions to redundancies the extent possible Appropriate materials Appropriate for intended use inspection and Allocated requirements Appropriate maintenance are consistent with inspection and accesses achievable safety maintenance ... performance accesses ... Performance requirements Allocated requirements are consistent with the have been negotiated Adjusted/waived performance commitments between the requirements requirements, standards, developed during RIDM owner and the best practices do not organization responsible significantly increase for meeting the vulnerabilities to unknown/ requirements unquantified hazards Presented by Homayoon Dezfuli 26
  • 27. Independent Evaluation of the RISC • It is good practice for an evaluator to have one or more checklists for determining whether the evidence is sufficient to support a claim • The checklist should be organized independently from the RISC and should tend to be generically applicable rather than application specific EVALUATION BY ANALYSIS TYPE ANALYSIS ATTRIBUTE Physical Hazards Individual Aggregate Risk Risk Responses Risks Risks Drivers Allocations Important issues are identified and evaluated Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Models are graded according to the importance of the issue Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Tests support models and analysis of important issues Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Best available models are used for all risk significant issues Grade: Grade: Grade: Grade: Grade: Grade: Comment: Comment: Comment: Comment: Comment: Comment: Etc. PROGRAMMATIC CONTROL EVALUATION Plans related to programmatic controls are comprehensively and clearly documented. Grade: Comment: Management will actively promote an environment within which design opportunities for improving safety Grade: without incurring unreasonable cost, schedule, and technical impacts are sought out and implemented Comment: during each phase. Protocols are in place that will promote effective and timely communication among design teams from Grade: different organizations working on different parts of the system. Comment: Etc. Presented by Homayoon Dezfuli 27
  • 28. Putting It All Together Presented by Homayoon Dezfuli 28
  • 29. Challenges Ahead • Organizational challenges – Integrating system safety personnel/activities more closely with systems engineering, operations management, and risk management • Analytical challenges – Integrating/refining existing analysis activities to support the development of an integrated safety analysis (ISA) – Meaningful accounting for unknown and under-evaluated risks in determining whether safety thresholds and goals have been achieved • Procedural and regulatory challenges – Development of standards and practices for formulating and evaluating risk informed safety cases (RISCs) – Development of guidelines for excising unnecessary requirements while maintaining safety beneficial requirements Presented by Homayoon Dezfuli 29
  • 31. Independent Evaluation of the RISC • A flowdown checklist for evaluating the RISC has the advantage of explicitly showing how arguments based on evidence support claims. 1.0 TOP-LEVEL CLAIM Safety Performance Measures This flow-down checklist examines ―how safe‖ the system is (or will be),* how well it is demonstrated, and what is being done to make sure Safety Performance Requirements that the top-level safety claim is true (or remains true).* This is the technical basis for the claim: (including Goal and Threshold) Evidence, including operating experience, testing, associated engineering analysis, and a comprehensive, integrated design and safety Engineering Requirements analysis (IDSA), including scenario modeling using Probabilistic Safety Analysis (PSA) Process Requirements A credible set of performance commitments, deterministic requirements, and implementation measures. * The nature and specificity of the claim, and the character of the underlying evidence, depend on the life cycle phase at which the safety case is being applied. The results of analysis have been clearly presented, conditional on an The design intent is characterized in terms of It has been successfully demonstrated The implementation aspects needed to explicitly characterized baseline allocation of levels of performance, design reference missions, CONOPS, and that no further improvements to the achieve the level of safety claimed is risk-informed requirements, and operating experience. An effective deterministic requirements to be satisfied. The design or operations are currently net- correctly understood, and the process for identifying departures from this baseline and/or design itself is characterized at a level of detail beneficial (as safe as reasonably necessary measures have been addressing future emergent issues that are not addressed by this appropriate to the current life cycle phase. practicable). committed to. baseline has been developed. 1.1 1.2 1.3 1.4 An effective process for The design for the current life Analyses performed provide the An effective process has been addressing unresolved and The design and mission intent cycle phase (including following results: carried out to identify significant It has been confirmed that allocated non-quantified safety issues safety improvements, but no is well charctterized.* requirements and controls) is Aggregate risk results (issues invalidating the performance is feasible well specified.* Dominant accident scenarios candidate measures have been baseline case) has been identified 1.1.1 1.1.2 Comparison with threshold/ formuulated. 1.4.1 1.2.2 1.3.1 goal Established baseline for An effective process has been A reasonable defense developed for monitoring and precursor analysis It has been demonstrated that further against unknown safety assuring ongoing satisfaction of ….. issues is included in the improvements in safety would allocated performance levels, and design and controls unacceptably affect schedule 1.2.1 there are commitments to implement Concept of Operation What is credited is reasonable these measures Design Reference and justifiable 1.2.2.1 1.3.2 1.4.2 Missions Operation Environments 1.1.2.1 Historically Informed In addition to reviewing existing information sources and A reasonable attempt has been It has been demonstrated that further Elements operating experience, the best processes known for identifying improvements in safety would incur made to identify and prioritize all The nominal performance and previously unrecognized safety hazards has been applied. significant risks in the risk 1.1.1.1 dynamic responses in design excessive performance penalties management program reference phases are well 1.2.1.1 1.3.3 1.4.3 understood and justified 1.1.2.2 The limits of the safety models are recognized, the caliber of evidence used in the models has been evaluated, and uncertainty An effective process has been It has been demonstrated that further developed for evaluating flight and The performance tailoring and and sensitivity analyses have been performed. improvements in safety would incur test experience for the presence of allocation are well understood Completeness issue excessive cost accident precursors and justified Understanding of key phenomenology and assumptions 1.3.4 1.4.4 1.1.2.3 1.2.1.3 Hazard controls, crew survival methods (if applicable), deterministic requirements, and fault protection approaches have been formulated effectively in a risk-informed manner 1.1.2.4 1.2.1.2 Presented by Homayoon Dezfuli 31