Safety critical requirement

A safety-critical requirement is a design requirement that is necessary to mitigate, or assist in the mitigation, of a hazard that has been designated as SC. It is also a requirement that is involved in the implementation of a SC function, operation, task, and so on. 

One alternative would be to discard the existing code completely, and start again with the additional requirement of meeting statutory or regulatory safety critical requirements. Unfcntunately, this is a very exprasive option. Additionally, the existing code, however imperfect, represents years of accumulated experience and refinement which (although difficult to calculate) represents a valuable asset... 

The Scania plant at Falun in Sweden manufaetures bus and truck steering knuckles. These are safety-critical components that are specified as having to be crack-free. For this reason, every component is now inspected using an automatic process that ensures the appropiate inspection is consistently canied out to the required standards of quality. Photos of the system are shown in Fig 1. The principle of operation is as follows. 

The specific character of NDT related to the quality assessment of safety critical products and objects requires constant analysis and continuous improvement of processes and their interconnection. Sometimes interaction of processes is very complicated (Figure 3) therefore the processes have to be systematized and simplified when possible to realize total quality management in NDT. 

Measures to minimize safety problems must be initiated at the start of the life cycle of any product, but too often determinations of criticality are left to production or quality control personnel who may have an incomplete knowledge of which items are safety critical (Hammer, 1980). Any potential non-conformity that occurs with a severity sufficient to cause a product or service not to satisfy intended normal or reasonably foreseeable usage requirements is termed a defect (Kutz, 1986). The optimum defect level will vary according to the application, where the more severe the consequences of failure the higher the quality of conformance needs to be. 

From an FMEA of the system design, a Severity Rating S) = 1 was allocated, relating to a safety critical failure in service. It is required to find the optimum unequal angle section size from the standard sizes available. It is assumed that the load is carried at the section s centre of gravity, G, and only stresses due to bending of the section are considered, that is, the torsional effects are minimal. The combined weight of the beam and tie rod are not to be taken into account. 

Extensive amount of these type data has been plotted but unfortunately most of it is privately owned. Creep data available from material suppliers, college and government projects, etc. can provide guidelines. However where the product has to meet critical requirements that usually include safety of people and data from previous work does not exist, creep test have to be conducted and properly applied by the designer. 

To prevent a possible alignment of holes in safety barriers, company C has as opposed to companies A and B, severe risk constraints present, which strictly require additional safety measures to be implemented when holes are identified in a safety barrier, as illustrated by the number of positively affected safety barriers in the other two companies. Moreover, in company C safety critical decisions are made on the highest level, creating an overview and also commitment of all employees to identify, report and reduce risks as soon and as effectively as possible. 

The criticality risks can be almost completely cancelled by designing devices that fulfill specific safety geometric requirements. 

This definition is widely accepted within the safety critical systems community. Safety case can be considered as a special case of the trust case where focus is on a specific trust objective, i.e., safety, and highly demanding requirements are needed to be met by the base supporting the case. 

Unfortunately, the gap has not been spanned by these approaches. As far as I know, only JRC Ispra has once financed a project of EWICS TC7 (European Workshop on Industrial Computer Systems, TC7, Safety, Reliability and Security, an expert group in this area), on Study of the Applicability of ISO/IEC 17799 and the German Baseline Protection Manual to the needs of safety critical systems (March 2003)(www.ewics.org) (3), where the gaps between the security standards and the safety-related system evaluation requirements have been analyzed for several sectors (medical, railways, nuclear, electric power networks) and in general. 

It has been demonstrated, that mass deployment of networked, dependable embedded systems with critical control functions require a new, holistic system view on safety critical and security critical systems. Both communities have to interact, communicate and integrate at the end. A unified approach to address the safety AND security requirements of safety related systems is proposed, based on the functional safety standard IEC 61508 and IT-Security management standards, handbooks and guidelines. 

Occasionally, there may be business pressures or maintenance scheduling problems that would encourage the delay of prooftesting of safety critical alarms and shutdown systems. Such situations can also delay of vessel inspections and safety relief valve testing. Some type of variance procedure or review policy should be defined to handle this occasional need. Such a policy ought to require the review of all of the inspection and test records on the specific equipment involved as well as an approval of the superintendent of the area. 

The design and construction of isolators should be carried out in an appropriate quality-assured way because the devices are frequently complex and require a high level of documentation to comply with both safety and good quality requirements. ISO 9000 compliant or similar quality assurance systems provide an appropriate management environment in which to design and build systems destined for quality or safety critical applications. 

By now it should be quite apparent that pharmaceutical analysts play a major role in assuring the identity, safety, efficacy, and quality of a drug product. Safety and efficacy studies require that drug substance and drug product meet two critical requirements ... 

Evaluate each task to determine if the task will require a written procedure. Factors that determine if a task requires a written procedure can be the frequency, criticality, and complexity of performing the task. Other factors can include regulatory requirements such as the OSHA 1910.119 Process Safety Management Rule procedure requirements. For example, starting a simple pump may not require a written procedure because it is a very simple task that people are trained to do from memory. However, starting a compUcated pump with many auxiliary systems or a pump that is critical to safety may require a written procedme to ensure the pump is always started correctly. 

Process safety management is the primary requirement that drives process plants and refineries to establish quality control programs for incoming materials and spare parts. OSHA 29 CFR 1910.119 has defined regulations for process safety critical equipment and systems that include such requirements. Other reasons for quality control programs may be equally important, for example when failure has a significant impact on capability to make product or leads to excessive maintenance costs. 

Where maintenance or repair of certain safety - critical equipment may require that it be taken out of service, extra precautions may be needed, for example ... 

The human factors literature is rich in task analysis techniques for situations and jobs requiring rule-based behavior (e.g., Kirwan and Ainsworth 1992). Some of these techniques can also be used for the analysis of cognitive tasks where weU-practiced work methods must be adapted to task variations and new circumstances. This can be achieved provided that task analysis goes beyond the recommended work methods and explores task variations that can cause failures of human performance. Hierarchical task analysis (Shepherd 1989), for instance, can be used to describe how operators set goals and plan their activities in terms of work methods, antecedent conditions, and expected feedback. When the analysis is expanded to cover not only normal situations but also task variations or changes in circumstances, it would be possible to record possible ways in which humans may fail and how they could recover from errors. Table 2 shows an analysis of a process control task where operators start up an oil refinery furnace. This is a safety-critical task because many safety systems are on manual mode, radio communications between control room and on-site personnel are intensive, side effects are not visible (e.g., accumulation of fuel in the fire box), and errors can lead to furnace explosions. 

This situation is all in stark contrast to other safety critical industries. For example in aerospace there is a more open and transparent culture of learning which crosses organisational and otherwise commercially competitive boundaries. lu aerospace stakeholders are aware that improvements in safety are for the greata good of the industty and that in the long term a safe product drives revenues for aU players. HIT suppliers have some way to catch up and it is largely the responsibility of their customers to call for the transparency that is required to enable a rigorous and practical assurance process. 

The International Electrotechnical Commission (lEC) set up studies to investigate solutions to this growing problem. By the mid-1990s the makings of a standard was produced which introduced the idea of a risk-based approach to drive out specific safety requirements alongside general system requirements. By the year 2000 lEC 61508 [4] had been ratified and since then has been gradually adopted in a number of safety critical industries. 

Testing can be more than manual operation of the system under simulated conditions. Inspection of key artefacts such as requirements, designs and specifications by snitable experts is a widely used technique in other safety critical industries and offers valuable evidence for the safety case. 

Decentralized decision making is, of course, required in some time-critical situations. But like all safety-critical decision making, the decentralized decisions must be made in the context of system-level information and from a total systems perspective in order to be effective in reducing accidents. One way to make distributed decision making safe is to decouple the system components in the overall system design, if possible, so that decisions do not have systemwide repercussions. Another common way to deal with the problem is to specify and train standard emergency responses. Operators may be told to sound the evacuation alarm any time an indicator reaches a certain level. In this way, safe procedures are determined at the system level and operators are socialized and trained to provide uniform and appropriate responses to crisis situations. 

Many of the causes of inadequate control actions are so common that they can be restated as general design principles for safety-critical control loops. The requirement for feedback about whether a command has been executed in the previous paragraph is one of these. The rest of this chapter presents those general design principles. 

---