APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING...
Transcript of APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING...
![Page 1: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/1.jpg)
APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY
Eric Verhulst, CEO/CTO Altreonic NV
05.11.2013 - ISRRE 1 Altreonic - From Deep Space to Deep Sea
![Page 2: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/2.jpg)
Content
• Safety engineering and Safety Integrity Levels (SIL)
• Some issues with the SIL criterion • Introducing the normaCve ARRL criterion • Illustrated architectures • ARRL and anCfragility • Autonomous traffic and ARRL-‐7 • Conclusions • Note: Work In Progress! 05.11.2013 - ISRRE 2 Altreonic - From Deep Space to Deep Sea
![Page 3: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/3.jpg)
Systems Engineering vs. Safety Engineering
• System = holisCc • Real goal is "Trustworthy Systems"
• Cfr. Felix Baumgartner almost did not do it because he didn't trust his safe jumpsuit
• TRUST = by the user or stakeholders • Achieving intended FuncConality • Safety & Security & Usability & Privacy • MeeCng non-‐funcConal objecCves
• Cost, energy, volume, maintainability, scalability, Manufacturability,..
• So why this focus on safety? • User expects guaranteed “QoS” from a “Trustworthy system”
05.11.2013 - ISRRE 3 Altreonic - From Deep Space to Deep Sea
![Page 4: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/4.jpg)
Safety and certification
• Safety can be defined to be the control of recognized hazards to achieve an acceptable level of risk. • Safety is general property of a system, not 100% assured • It is complex but there are moral liabiliCes
• CerCficaCon: In depth review => safe to operate • “Conformity assessment” (for automoCve) • Not a technical requirement: confidence, legal
• Evidence makes the difference: • Evidence is a coherent collecCon of informa;on that relying on a number of process ar;facts linked together by their dependencies and sufficient structured arguments provides an acceptable proof that a specific system goal has been reached.
05.11.2013 - ISRRE 4 Altreonic - From Deep Space to Deep Sea
![Page 5: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/5.jpg)
Categorisation of Safety Risks
05.11.2013 - ISRRE 5 Altreonic - From Deep Space to Deep Sea
• SIL ≅ f (probability of occurrence, severity, controllability) • As determined by HARA • SIL goals ≅ Risk ReducCon Factor
• Criteria and classificaCon are open to interpretaCon
Category Consequence upon failure Typical SIL Catastrophic Loss of mulCple lives 4
CriCcal Loss of a single life 3 Marginal Major injuries to one or more
persons 2
Negliglible Minor injuries at worst or material damage
1
No consequence No damages, user dissaCsfacCon 0
![Page 6: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/6.jpg)
Problems with SIL definition
• Poor harmonizaCon of definiCon across the different standards bodies which uClize SIL=> Reuse?
• Process-‐oriented metrics for derivaCon of SIL • SIL level determines architecture (system specific) • EsCmaCon of SIL based on reliability es;mates
• System complexity, parCcularly in soiware systems, makes SIL esCmaCon difficult if not impossible
• based on probabiliCes that are very hard if not impossible to measure and esCmate
• Reliability of soiware (discrete domain) is not staCsCcal!: • The law of Murphy s;ll applies:
• The next instant can be catastrophic
6 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 7: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/7.jpg)
New definition: start from the component up • ARRL: Assured Reliability and Resilience Level
05.11.2013 - ISRRE 7 Altreonic - From Deep Space to Deep Sea
ARRL 0 it might work (use as is)
ARRL 1 works as tested, but no guarantee
ARRL 2 works correctly, IF no fault occurs, guaranteed no errors in implementaCon) => formal evidence
ARRL 3 ARRL 2 + goes to fail-‐safe or reduced operaConal mode upon fault (requires monitoring + redundancy) -‐ fault
behavior is predictable as well as next state
ARRL 4 ARRL 3 + tolerates one major failure and is fault tolerant (fault behavior predictable and transparent for the external world). Transient faults are masked out
ARRL 5 The component is using heterogeneous sub-‐components to handle residual common mode failures
![Page 8: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/8.jpg)
ARRL: what does it mean?
• Assured: • There is verified, trustworthy evidence • Process related and architecture related
• Reliability: • In absence of faults, MTBF is >> life-‐Cme: QA aspects
• Resilience: • The fault behaviour is predicted: trustworthy behaviour • Capability to conCnue to provide core funcCon
• Level: ARRL is norma;ve • Components can be classified: contract
05.11.2013 - ISRRE 8 Altreonic - From Deep Space to Deep Sea
![Page 9: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/9.jpg)
Consequences
• If a system/component has a fault, it drops into a degraded mode => lower ARRL • ARRL3 is the operaConal mode aier an ARRL4 failure
• FuncConality is preserved • Assurance level is lowered
• SIL not affected and domain independent • System + environment + operator defines SIL
• ARRL is a norma;ve criterion: • Fault behavior is made explicit: verifiable • Cfr. IP-‐norm (comes with a predefined test procedure)
05.11.2013 - ISRRE 9 Altreonic - From Deep Space to Deep Sea
![Page 10: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/10.jpg)
ARRL-2
ARRL-2
ARRL-3
10 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
i1 i2 … i3 … in
o1 o2 … o3 … on
One or more state space trees: Monitor and supervisor sub-component
Input/output guards: Guaranteed bounded
Unanticipated input values
Fail safe output
Induced fault
Comparator
Common mode failures possible
![Page 11: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/11.jpg)
ARRL-4
11 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
N out of M voter/ mux ARRL-4
N out of M voter/ demux ARRL-4
ARRL-2/3
ARRL-2/3
ARRL-2/3
(t)
(t)
(t)
Failing functional block allowed
Output preserved
![Page 12: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/12.jpg)
ARRL-5
12 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
N out of M voter/
mux ARRL-4
N out of M voter/ demux ARRL-4 ARRL-2/3
ARRL-2/3
ARRL-2/3
(t)
(t)
(t)
Process related common mode failures minimised
Output preserved
![Page 13: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/13.jpg)
SIL and ARRL are complementary
05.11.2013 - ISRRE 13 Altreonic - From Deep Space to Deep Sea
SIL driven
ARRL driven
![Page 14: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/14.jpg)
A system is never alone
14 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 15: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/15.jpg)
What means “anti-fragile”?
• New term quoted by Taleb • An anC-‐fragile system gets “beOer” aier being exposed to “stressors” • Beker: we need a metric => QoS? • Stressors: cfr. hazard, faults, … • The issue in safety: rare events (improbable a priori, certain post factum) (Taleb’s “black swan”
• What does it mean in the context of safety/systems engineering? Isn’t ARRL-‐5 not the top level?
15 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 16: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/16.jpg)
Two example domains
• Automo;ve: • 1,2 millon people killed/year: daily event • Cars get beker, but people get killed: safer? QoS?
• Avia;on: • 500 people killed/year: a rare event • Planes get beker, cheaper, safer, energy-‐efficient
• Railway, telecommunicaCons, medical, … • Similar examples
• What sets them apart? 16 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 17: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/17.jpg)
Assessment in terms of ARRL
• Automo;ve: • Vehicle is a ARRL-‐3 system • Upon fault, presumed to go the fail-‐safe state • No black box, no records, … • AutomoCve is a collec;on of vehicles
• Avia;on: • Planes are ARRL-‐5 • Upon fault, redundancy takes over • Black box, central database, • PrevenCve maintenance • AviaCon is an eco-‐system
17 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 18: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/18.jpg)
Extended systems (of systems) view
18 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 19: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/19.jpg)
Preconditions for anti-fragility
• Extensive domain knowledge: experience • Openness: shared criCcal informaCon • Feedback loops at several levels between large number of stakeholders
• Independent supervision: guidance • Core components are ARRL-‐4 or -‐5 • The system is the domain • Service maOers more than the component
19 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 20: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/20.jpg)
ARRL-6 and ARRL-7 (inherits ARRL-5)
20 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
ARRL 3 ARRL 2 + goes to fail-‐safe or reduced operaConal mode upon fault (requires monitoring + redundancy) -‐ fault behavior is predictable as well as next state
ARRL 4 ARRL 3 + tolerates one major failure and is fault tolerant (fault behavior predictable and transparent for the external world). Transient faults are masked out
ARRL 5 The component is using heterogeneous sub-‐components to handle residual common mode failures
ARRL 6 The component (subsystem) is monitored and a process is in place that maintains the system’s
funcConality
ARRL 7 The component (subsystem) is art of a system of systems and a process is in place that includes
conCnuous monitoring and improvement supervised by an independent regulatory body
![Page 21: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/21.jpg)
Autonomous traffic
• Self-‐driving cars are the future? Cfr. Google car • Systems engineering challenge much higher than flying airplanes
• Huge impact: socio-‐economic “black swan” • Pre-‐condiCons:
• Vehicles become ARRL-‐5 • System = traffic, includes road infrastructure • StandardisaCon (vehicles communicate) • ConCnuous improvement process
• Hence: needs ARRL-‐7 21 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 22: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/22.jpg)
Beyond ARRL-7
• Not all systems are engineered by humans • Biological systems:
• Survivability (selecCon) and adapCon • Build-‐in mechanism (long term feedback loops) • ARRL-‐8 ? • Inheritance of ARRL-‐7 ?
• GeneCc engineering: • Directed selecCon and adaptaCon • ARRL-‐9? Or ARRL-‐7 with bio-‐components?
22 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 23: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/23.jpg)
Conclusions
• ARRL concept allows composiConal safety engineering with reuse of components/subsystems
• More complex systems can be safer • A unified ARRL aware process pakern can unify systems and safety engineering standards
• ARRL-‐6 and ARRL-‐7 introduce a system that include a feedback loop process during development but also during opera;on
• ANTIFRAGILE = ARRL-‐7 More info: www.altreonic.com White paper as work in progress available
23 Altreonic - From Deep Space to Deep Sea 05.11.2013 - ISRRE
![Page 24: APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES … · APPLYING SAFETY AND SYSTEMS ENGINEERING PRINCIPLES FOR ANTIFRAGILITY EricVerhulst ,CEO/CTO% Altreonic%NV% 05.11.2013 - ISRRE](https://reader036.fdocuments.us/reader036/viewer/2022081406/5f1139f64af0537ba07ccad9/html5/thumbnails/24.jpg)
Further work
• Making ARRL normaCve and applicable • Refinement and Completeness of criteria • NormaCve: components carry contract and evidence
• Independent of final use or applicaCon domain • Process evidence + validated properCes • ARRL-‐3 and higher: HW/SW co-‐design?
• Study link with a system’s criCcal states • Apply it on real cases
• Input and feedback welcome
05.11.2013 - ISRRE 24 Altreonic - From Deep Space to Deep Sea