Cover
Title Page
Preface
1. Reference
Acknowledgments
Introduction: What You Will Learn
1 Design for Safety Paradigms
1. 1.1 Why Design for System Safety?
2. 1.2 Reflections on the Current State of the Art
3. 1.3 Paradigms for Design for Safety
4. 1.4 Create Your Own Paradigms
5. 1.5 Summary
6. References
2 The History of System Safety
1. 2.1 Introduction
2. 2.2 Origins of System Safety
3. 2.3 Tools of the Trade
4. 2.4 Benefits of System Safety
5. 2.5 System Safety Management
6. 2.6 Integrating System Safety into the Business Process
7. References
8. Suggestions for Additional Reading
3 System Safety Program Planning and Management
1. 3.1 Management of the System Safety Program
2. 3.2 Engineering Viewpoint
3. 3.3 Safety Integrated in Systems Engineering
4. 3.4 Key Interfaces
5. 3.5 Planning, Execution, and Documentation
6. 3.6 System Safety Tasks
7. References
8. Suggestions for Additional Reading
4 Managing Risks and Product Liabilities
1. 4.1 Introduction
2. 4.2 Risk
3. 4.3 Risk Management
4. 4.4 What Happens When the Paradigms for Design for Safety Are Not Followed?
5. 4.5 Tort Liability
6. 4.6 An Introduction to Product Liability Law
7. 4.7 Famous Legal Court Cases Involving Product Liability Law
8. 4.8 Negligence
9. 4.9 Warnings
10. 4.10 The Rush to Market and the Risk of Unknown Hazards
11. 4.11 Warranty
12. 4.12 The Government Contractor Defense
13. 4.13 Legal Conclusions Involving Defective and Unsafe Products
14. References
15. Suggestions for Additional Reading
5 Developing System Safety Requirements
1. 5.1 Why Do We Need Safety Requirements?
2. 5.2 Design for Safety Paradigm 3 Revisited
3. 5.3 How Do We Drive System Safety Requirements?
4. 5.4 What Is a System Requirement?
5. 5.5 Hazard Control Requirements
6. 5.6 Developing Good Requirements
7. 5.7 Example of Certification and Validation Requirements for a PSDI
8. 5.8 Examples of Requirements from STANAG 4404
9. 5.9 Summary
10. References
6 System Safety Design Checklists
1. 6.1 Background
2. 6.2 Types of Checklists
3. 6.3 Use of Checklists
4. References
5. Suggestions for Additional Reading
6. Additional Sources of Checklists
7 System Safety Hazard Analysis
1. 7.1 Introduction to Hazard Analyses
2. 7.2 Risk
3. 7.3 Design Risk
4. 7.4 Design Risk Management Methods and Hazard Analyses
5. 7.5 Hazard Analysis Tools
6. 7.6 Hazard Tracking
7. 7.7 Summary
8. References
9. Suggestions for Additional Reading
8 Failure Modes, Effects, and Criticality Analysis for System Safety
1. 8.1 Introduction
2. 8.2 The Design FMECA (D‐FMECA)
3. 8.3 How Are Single Point Failures Eliminated or Avoided in the Design?
4. 8.4 Software Design FMECA
5. 8.5 What Is a PFMECA?
6. 8.6 Conclusion
7. Acknowledgments
8. References
9. Suggestions for Additional Reading
9 Fault Tree Analysis for System Safety
1. 9.1 Background
2. 9.2 What Is a Fault Tree?
3. 9.3 Methodology
4. 9.4 Cut Sets
5. 9.5 Quantitative Analysis of Fault Trees
6. 9.6 Automated Fault Tree Analysis
7. 9.7 Advantages and Disadvantages
8. 9.8 Example
9. 9.9 Conclusion
10. References
11. Suggestions for Additional Reading
10 Complementary Design Analysis Techniques
1. 10.1 Background
2. 10.2 Discussion of Less Used Techniques
3. 10.3 Other Analysis Techniques
4. References
5. Suggestions for Additional Reading
11 Process Safety Management and Analysis
1. 11.1 Background
2. 11.2 Elements of Process Safety Management
3. 11.3 Process Hazard Analyses
4. 11.4 Other Related Regulations
5. 11.5 Inherently Safer Design
6. 11.6 Summary
7. References
8. Suggestions for Additional Reading
12 System Safety Testing
1. 12.1 Purpose of System Safety Testing
2. 12.2 Test Strategy and Test Architecture
3. 12.3 Develop System Safety Test Plans
4. 12.4 Regulatory Compliance Testing
5. 12.5 The Value of PHM for System Safety Testing
6. 12.6 Leveraging Reliability Test Approaches for Safety Testing
7. 12.7 Safety Test Data Collection
8. 12.8 Test Results and What to Do with the Results
9. 12.9 Design for Testability
10. 12.10 Test Modeling
11. 12.11 Summary
12. References
13 Integrating Safety with Other Functional Disciplines
1. 13.1 Introduction
2. 13.2 Raytheon’s Code of Conduct
3. 13.3 Effective Use of the Paradigms for Design for Safety
4. 13.4 How to Influence People
5. 13.5 Practice Emotional Intelligence
6. 13.6 Practice Positive Deviance to Influence People
7. 13.7 Practice “Pay It Forward”
8. 13.8 Interfaces with Customers
9. 13.9 Interfaces with Suppliers
10. 13.10 Five Hats for Multi‐Disciplined Engineers (A Path Forward)
11. 13.11 Conclusions
12. References
14 Design for Reliability Integrated with System Safety
1. 14.1 Introduction
2. 14.2 What Is Reliability?
3. 14.3 System Safety Design with Reliability Data
4. 14.4 How Is Reliability Data Translated to Probability of Occurrence?
5. 14.5 Verification of Design for Safety Including Reliability Results
6. 14.6 Examples of Design for Safety with Reliability Data
7. 14.7 Conclusions
8. Acknowledgment
9. References
15 Design for Human Factors Integrated with System Safety
1. 15.1 Introduction
2. 15.2 Human Factors Engineering
3. 15.3 Human‐Centered Design
4. 15.4 Role of Human Factors in Design
5. 15.5 Human Factors Analysis Process
6. 15.6 Human Factors and Risk
7. 15.7 Checklists
8. 15.8 Testing to Validate Human Factors in Design
9. Acknowledgment
10. References
11. Suggestions for Additional Reading
16 Software Safety and Security
1. 16.1 Introduction
2. 16.2 Definitions of Cybersecurity and Software Assurance
3. 16.3 Software Safety and Cybersecurity Development Tasks
4. 16.4 Software FMECA
5. 16.5 Examples of Requirements for Software Safety
6. 16.6 Example of Numerical Accuracy Where 2 + 2 = 5
7. 16.7 Conclusions
8. Acknowledgments
9. References
17 Lessons Learned
1. 17.1 Introduction
2. 17.2 Capturing Lessons Learned Is Important
3. 17.3 Analyzing Failure
4. 17.4 Learn from Success and from Failure
5. 17.5 Near Misses
6. 17.6 Continuous Improvement
7. 17.7 Lessons Learned Process
8. 17.8 Lessons Learned Examples
9. 17.9 Summary
10. References
11. Suggestions for Additional Reading
18 Special Topics on System Safety
1. 18.1 Introduction
2. 18.2 Airworthiness and Flight Safety
3. 18.3 Statistical Data Comparison Between Commercial Air Travel and Motor Vehicle Travel
4. 18.4 Safer Ground Transportation Through Autonomous Vehicles
5. 18.5 The Future of Commercial Space Travel
6. 18.6 Summary
7. References
Appendix A: Hazards Checklist
1. Reference
Appendix B: System Safety Design Verification Checklist
1. Reference
Index
End User License Agreement

List of Tables

Chapter 01
1. Table 1.1 Paradigm locations
Chapter 02
1. Table 2.1 Evolution of MIL‐STD‐882
2. Table 2.2 A sampling of IEC 61508 standards
3. Table 2.3 Common hazard analysis techniques
Chapter 03
1. Table 3.1 Types of system safety analysis
2. Table 3.2 Task application matrix
Chapter 04
1. Table 4.1 Product liability in federal court
2. Table 4.2 Product liability in Missouri 2014
3. Table 4.3 Product liability in Missouri: 10‐year summary 2005–2014
4. Table 4.4 Ten largest vehicle recalls
Chapter 05
1. Table 5.1 Qualities of a well‐written performance specification
Chapter 06
1. Table 6.1 Example of requirement‐type checklist
2. Table 6.2 Example of energy source‐type checklist
3. Table 6.3 Example of generic hazard‐type checklist
4. Table 6.4 Example of similar system‐type checklist
5. Table 6.5 Example of hazardous operation‐type checklist
Chapter 07
1. Table 7.1 Hazard probability levels
2. Table 7.2 Hazard severity levels
3. Table 7.3 Risk assessment matrix
4. Table 7.4 Risk levels
Chapter 08
1. Table 8.1 Possible software elements for FMECA
2. Table 8.2 Priority factors
3. Table 8.3 Severity (SEV) factors
4. Table 8.4 Occurrence (OCC) factors
5. Table 8.5 Detection (DET) factors
Chapter 09
1. Table 9.1 Failure probabilities for pressure tank example
Chapter 11
1. Table 11.1 Examples of guide word–parameter–deviations in HAZOP
Chapter 14
1. Table 14.1 Hazard probability levels (excerpt from Table 7.1)
2. Table 14.2 Quantitative probability of occurrence ranges
3. Table 14.3 Risk assessment matrix
4. Table 14.4 Example types of distributions used in reliability
5. Table 14.5 Hazard severity levels (from Table 7.2)
6. Table 14.6 Severity definitions
Chapter 15
1. Table 15.1 Considerations in human‐centered design
2. Table 15.2 Perceptions across media
3. Table 15.3 Human factors analysis tools
Chapter 16
1. Table 16.1 Priority classifications
2. Table 16.2 Reprinted from Software System Safety Handbook from G‐48
3. Table 16.3 Potential software failure mode effects for software elements of a navigation system
4. Table 16.4 Example causes of potential failure modes

List of Illustrations

Chapter 02
1. Figure 2.1 Maslow’s hierarchy
2. Figure 2.2 The system safety process
Chapter 03
1. Figure 3.1 Phases of development
2. Figure 3.2 Systems engineering V‐model
3. Figure 3.3 System safety V‐Chart
Chapter 04
1. Figure 4.1 Risk management process
Chapter 05
1. Figure 5.1 Top 10 emerging systemic issues
Chapter 06
1. Figure 6.1 MD‐80 preflight checklist
Chapter 07
1. Figure 7.1 Hazard reduction precedence
2. Figure 7.2 Preliminary hazard list format
3. Figure 7.3 Preliminary hazard analysis format
4. Figure 7.4 Subsystem hazard analysis format
5. Figure 7.5 System hazard analysis format
6. Figure 7.6 Operating and support hazard analysis format
7. Figure 7.7 Health hazard analysis format
8. Figure 7.8 Typical closed‐loop hazard tracking process
Chapter 08
1. Figure 8.1 Failure modes and effects relationship diagram
2. Figure 8.2 Failure cause Pareto diagram
3. Figure 8.3 Top‐down system hazard/failure analysis flow example
4. Figure 8.4 Example PFMECA form
Chapter 09
1. Figure 9.1 Fault tree symbols
2. Figure 9.2 Simple fault trees
3. Figure 9.3 Fault tree construction process
4. Figure 9.4 Primary, secondary, and command approach
5. Figure 9.5 Simple cut set determination
6. Figure 9.6 Minimal cut set determination
7. Figure 9.7 Simple fault tree for illustrating MOCUS algorithm
8. Figure 9.8 Pressure tank system
9. Figure 9.9 Pressure tank system operational modes
10. Figure 9.10 Pressure tank rupture fault tree example
11. Figure 9.11 Simplified (reduced) fault tree for pressure tank example
Chapter 10
1. Figure 10.1 Generic event tree
2. Figure 10.2 Generic event tree with probabilities
3. Figure 10.3 Sneak circuit analysis topological patterns
4. Figure 10.4 Functional hazard analysis format
5. Figure 10.5 Barrier separates energy source from target
6. Figure 10.6 Barrier analysis format
7. Figure 10.7 Connector configuration and matrix of possible pin‐to‐pin combinations
8. Figure 10.8 Bent pin analysis format
9. Figure 10.9 Markov state transition model for one‐component system with repair
10. Figure 10.10 MORT top events
Chapter 11
1. Figure 11.1 Example process flowchart
2. Figure 11.2 What‐if analysis worksheet
3. Figure 11.3 HAZOP analysis worksheet
Chapter 12
1. Figure 12.1 Test failure data by test position
2. Figure 12.2 Test failure data by TTF
3. Figure 12.3 Example of a CDF
4. Figure 12.4 Example of a PDF
Chapter 13
1. Figure 13.1 SSE interfaces to other functional disciplines
2. Figure 13.2 Raytheon’s values
Chapter 14
1. Figure 14.1 Reliability and system safety data interfaces
2. Figure 14.2 Graph of reliability over time
3. Figure 14.3 Probability of success example
Chapter 16
1. Figure 16.1 CISQ comparison of SwA definitions from ARiSE
Chapter 17
1. Figure 17.1 Foreshadowing of Toyota problems. Percentage of customer complaints having to do with speed control. .
2. Figure 17.2 GM models and years effected by the ignition switch recall
Chapter 18
1. Figure 18.1 Percent change in motor vehicle fatalities from 2006 to 2015
2. Figure 18.2 Annual percentage change in Vehicle Miles Traveled (VMT) between 1975 and 2015

Wiley Series in Quality & Reliability Engineering

Dr Andre Kleyner

Series Editor

The Wiley series in Quality & Reliability Engineering aims to provide a solid educational foundation for both practitioners and researchers in Q&R field and to expand the reader’s knowledge base to include the latest developments in this field. The series will provide a lasting and positive contribution to the teaching and practice of engineering.

The series coverage will contain, but is not exclusive to,

statistical methods;
physics of failure;
reliability modeling;
functional safety;
six‐sigma methods;
lead‐free electronics;
warranty analysis/management; and
risk and safety analysis.

Wiley Series in Quality & Reliability Engineering

Next Generation HALT and HASS: Robust Design of Electronics and Systems
by Kirk A. Gray, John J. Paschkewitz
May 2016

Reliability and Risk Models: Setting Reliability Requirements, 2nd Edition
by Michael Todinov
September 2015

Applied Reliability Engineering and Risk Analysis: Probabilistic Models and Statistical Inference
by Ilia B. Frenkel. Alex Karagrigoriou, Anatoly Lisnianski, Andre V. Kleyner
September 2013

Design for Reliability
by Dev G. Raheja (Editor), Louis J. Gullo (Editor)
July 2012

Effective FMEAs: Achieving Safe. Reliable, and Economical Products and Processes Using Failure Modes and Effects Analysis
by Carl Carlson
April 2012

Failure Analysis: A Practical Guide for Manufacturers of Electronic Components and Systems
by Marius Bazu, Titu Bajenescu
April 2011

Reliability Technology: Principles and Practice of Failure Prevention in Electronic Systems
by Norman Pascoe
April 2011

Improving Product Reliability: Strategics and Implementation
by Mark A. Levin, Ted T. Kalal
March 2003

Test Engineering: A Concise Guide to Cost‐Effective Design, Development and Manufacture
by Patrick O’Connor
April 2001

Integrated Circuit Failure Analysis: A Guide to Preparation Techniques
by Friedrich Beck
January 1998

Measurement and Calibration Requirements for Quality Assurance to ISO 9000
by Alan S. Morris
October 1997

Electronic Component Reliability: Fundamentals. Modelling, Evaluation, and Assurance
by Finn Jensen
November 1995

This edition first published 2018
© 2018 John Wiley & Sons Ltd

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Louis J. Gullo and Jack Dixon to be identified as the authors of the editorial material in this work has been asserted in accordance with law.

Registered Office(s)
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

Editorial Office
The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging‐in‐Publication data applied for

ISBN: 9781118974292

Cover Design: Wiley
Cover Images: (Left to right) © 3DSculptor/Gettyimages; © ms. Octopus/Shutterstock; © prosot‐photography/iStock; © gali estrange/Shutterstock

Series Editor’s Foreword

The Wiley Series in Quality and Reliability Engineering aims to provide a solid educational foundation for researchers and practitioners in the field of dependability, which includes quality, reliability, and safety, and expand the knowledge base by including the latest developments in these disciplines.

It is hard to overstate the effect of quality and reliability on system safety. A safety‐critical system is a system whose failure or malfunction may result in death or serious injury to people. According to Federal Aviation Administration (FAA), system safety is the application of engineering and management principles, criteria, and techniques to optimize safety by the identification of safety‐related risks, eliminating or controlling them by design and/or procedures, based on acceptable system safety precedence.

Along with continuously increasing electronics content in vehicles, airplanes, trains, appliances, and other devices, electronic and mechanical systems are becoming more complex with added functions and capabilities. Needless to say, this trend is making the jobs of design engineers increasingly challenging, which is confirmed by the growing number of safety recalls. These recalls are prompting further strengthening of reliability and safety requirements and a rapid development of functional safety standards, such as IEC 61508 Electrical/Electronic/Programmable systems, ISO 26262 Road Vehicles, and others, which have increased the pressure on improving the design processes and achieving ever higher reliability as it applies to system safety.

There are no do‐overs in safety. You cannot undo the damage to a human caused by an accident caused by an unsafe system; therefore it is extremely important to design a safe system the first time. This book Design for Safety, written by Louis J. Gullo and Jack Dixon explores the safety engineering and takes the concept of design and system safety to a new level. The book takes you step by step through the process of designing for safety. These steps include the development of system requirements, design for safety checklist, and application of the critical design tools, such as fault tree analysis, hazard analysis, FMEA, system integration, testing, and many others.

Both authors have lifelong experience in product design, safety, and reliability, and sharing their knowledge will be a big help to the new generation of design engineers as well as to the seasoned practitioners. This book offers an excellent mix of theory, practice, useful applications, and commonsense engineering, making it a perfect addition to the Wiley Series in Quality and Reliability Engineering.

Despite its obvious importance, quality, reliability, and safety education are paradoxically lacking in today’s engineering curriculum. Very few engineering schools offer degree programs, or even a sufficient variety of courses, in quality or reliability methods, and the topic of safety only receives minimal coverage in today’s engineering student curriculum. Therefore, the majority of the quality, reliability, and safety practitioners receive their professional training from colleagues, professional seminars, publications, and technical books. The lack of opportunities for formal education in these fields emphasizes too well the importance of technical publications like this one for professional development.

We are confident that this book, as well as this entire book series, will continue Wiley’s tradition of excellence in technical publishing and provide a lasting and positive contribution to the teaching and practice of quality, reliability, and safety engineering.

Dr. Andre Kleyner,
Editor of the Wiley Series in Quality and Reliability Engineering

Preface

Anyone who designs a product or system involving hardware and/or software needs to ask the following questions and seek answers to:

Will my designs be safe for the users of the product or system that I design for them?
Will my designs be safe for people affected by the users of the product or system that I design for them?
Are there applications that my designs may be used for that are not safe even though it is not the original intentions of my design?
Can anyone die or be harmed by my designs?

The designers and engineers that fully answer these questions and take action to improve the safety features of a design are heroes. These engineering heroes are usually unsung heroes who don’t receive nor seek any reward or recognition.

When you think of heroes, you might conjure up the image of a US Army Medal of Honor recipient, or a brave firefighter willing to sacrifice his or her life to rescue people from a towering inferno, or a policeman cited for courage in the line of duty, but you probably won’t imagine an engineer willing to sacrifice his or her job or career to prevent a potential catastrophic hazard from occurring within a product or system. Every day and throughout the world, multitudes of engineers working in numerous development and production engineering career fields within a global marketplace discover and analyze safety‐critical failure modes and assess risks of hazards to the user or customer, which may cause loss of life or severe personal injury. These engineers display a passion for their work with consideration for the safety aspects of their products or systems realizing the ultimate impacts to the health and well‐being of their user community. The passion of these engineers usually goes unnoticed, except by other engineers or managers who work closely with them. The passion of these engineers may be recognized in extreme or unusual circumstances with an individual or team achievement award, but they most certainly would not become hailed as heroes. Why not? Does our engineering society place value of those willing to display courage in managing challenging technical problems? Of course, there is value in this characteristic of an engineer, but only when it results in making the organization or company more money, not reducing or eliminating the potential of dangerous hazards that could harm the user community. The engineers demonstrating courage in tackling the challenging technical problems to keep people safe are just doing their jobs as system safety engineers or some other related job function, but they would not be considered as heroes.

When you think of heroes in engineering, you might say Nikola Tesla or Thomas Edison made significant contributions to the advancement of a safe world in terms of developing commercial power to light homes at night and prevent fires due to lit candles igniting window dressings or draperies. We are sure you will agree that commercial power saves lives, indirectly. As a result of commercial power, most home fires caused by candles lighting a home at night have been prevented, but fires at home will still occur regardless of the use of commercial power replacing candles. There are other mitigating factors that have a direct correlation to causes of fires at home, such as smoking cigarettes in bed or poor insulation of electrical wiring or overloaded electrical circuits.

A direct application of saving lives is a preventive action to design out an explosive hazard in an automobile due to the fuel tank during an automobile collision. As a result of an engineer’s diligence, persistence, and commitment to mitigate the risk of a fuel tank explosion in a car during normal operation or during a catastrophic accident, it is clear that the engineer’s actions would have saved lives, directly. This direct application of design improvements that result in no deaths or personal injuries caused by automobile fuel tank explosions should warrant the title of “Engineering Hero” to the ones worthy of such distinction.

Engineering needs more heroes [1]. Engineers with the biggest paychecks get the widest acclaim. To be a hero today, you must be considered financially successful and ahead of your peers. There must be other ways to recognize engineering heroes on a broad scale, but how? There is no Nobel Prize for engineering. There is no engineering award with similar global status and prestige. Engineers cannot routinely recognize their heroes in a similar fashion as do physicists, economists, and novelists. To be fair, in lesser known circles than Nobel, engineers are recognized by their peers through the Kyoto Prize, Charles Stark Draper Prize of the US National Academy of Engineering, and the IEEE’s own Medal of Honor, to name a few engineering honors. We agree with G. Pascal Zachary when he states that a valid criterion for an engineer to be considered an engineering hero is when one overcomes adversity. Engineering heroism appears when an engineer overcomes personal, institutional, or technological adversity to do their best job possibly while realizing what is ethically or morally right, contributing to the social and cultural well‐being of all humanity.

Anyone who convinces a product manufacturer to install a safety feature on an existing product should be praised as a hero. One example of a design for safety feature that was installed on an existing product is the “safety mechanism” designed for firearms. A safety catch mechanism or safety switch used for pistol and rifle designs was intended to prevent the accidental discharge of a firearm, helping to ensure safe handling during normal use. The safety switch on firearms has two positions: one is “safe” mode and the other is “fire” mode. The two‐position safety toggle switch was designed on the military grade firearm, M16 automatic rifle. In “safe” mode, the trigger cannot be engaged to discharge the projectile in the firing assembly. Other types of safety mechanisms include manual safety, grip safety, decocker mechanism, firing pin block, hammer block, transfer bar, safety notch, bolt interlock, trigger interlock, trigger disconnect, magazine disconnect, integrated trigger safety mechanism, loaded chamber indicator, and stiff double‐action trigger pull. “Drop safety mechanisms” or “trigger guards” are passive safety features designed to reduce the chance of an accidental firearm discharge when the firearm is dropped or handled in a rough manner. Drop safeties generally provide an obstacle in the firing mechanism, which can only be removed when the trigger is pulled, so that the firearm cannot otherwise discharge. Trigger guards provide a material barrier to prevent inadvertent trigger pulls. Many firearms that were manufactured in the late 1990s were designed with mandatory integral locking mechanisms that had to be deactivated by a unique key before the firearm could be fired. These are intended as child‐safety devices during unattended storage of firearms. These types of locking mechanisms were not intended as safety mechanisms while carrying. Other devices in this category are muzzle plugs, trigger locks, bore locks, and firearm safes.

Accidents decreased tremendously over the years as a result of safety features. Accidental discharges were commonplace in the days of the “Ole West,” circa 1850–1880. Those were the days before safety switches were designed into rifle and pistol designs. Now accidental discharges only occur when a loaded firearm is handled when the safety position is off. Since the implementation of this safety switch design, gunshots caused by accidental firing have been significantly reduced. There was a designer behind this safety switch design who thought about saving lives. In our minds, this designer was an unsung hero, one of many heroes in the development of safe firearms.

We propose these unsung heroes deserve immense credit for preventing unnecessary injury or death from accidental discharge of firearms. There are many more examples of this.

The idea for this book was conceived as a result of publishing our first book, Design for Reliability. We saw the need for additional books discussing various topics associated with the design process. As a result, we are planning to create a series of Design for X books with this one, Design for Safety, being the second in the series. Our book fills the gap between the published body of knowledge and current industry practices by communicating the advantages of designing for safety during the earliest phase of product or system development. This volume fulfils the needs of entry‐level design engineers, experienced design engineers, engineering managers, and system safety engineers/managers who are looking for hands‐on knowledge of how to work collaboratively on design engineering teams.

Reference

[1] Zachary, G. P. (2014), Engineering Needs More Heroes, IEEE Spectrum, 51, 42–46.

Louis J. Gullo
Jack Dixon

Introduction: What You Will Learn

Chapter 1 Design for Safety Paradigms (Raheja, Gullo, and Dixon)

This chapter introduces the concept of design for safety. It describes the technical gaps between the current state of the art and what it takes to design safety into new products. This chapter introduces ten paradigms for safe design that help you do the right things at the right times. These paradigms will be used throughout the book as guiding themes.

Chapter 2 The History of System Safety (Dixon)

This chapter provides a brief history of system safety from the original “fly‐fix‐fly” approach to safety, to the 1940s’ hints at a better way of doing aircraft safety, to the 1950s’ introduction of the term “system safety,” and to the Minuteman program that brought the systematic approach to safety to the mainstream. Next, the development of and history of MIL‐STD‐882 is discussed. The growth of system safety and various hazard analyses techniques over the years are covered in detail. The expansion of system safety into the nonmilitary, commercial arena is discussed along with numerous industry standards. Tools of the trade, management of system safety, and integration of system safety into the business process are summarized.

Chapter 3 System Safety Program Planning and Management (Gullo and Dixon)

This chapter discusses the management of system safety in detail. It describes how system safety fits into the development cycle, how it is integrated into the systems engineering process, and what the key interfaces are between system safety and other disciplines. The System Safety Program Plan is described in detail as well as how it is related to other management plans. Another important document, the Safety Assessment Report, is also outlined in detail.

Chapter 4 Managing Risks and Product Liabilities (Gullo and Dixon)

In this chapter, the importance of product liability is emphasized beginning with some financial statistics and numerous examples of major losses due to bad design. The importance of risk and risk management is described. This chapter includes a brief summary of product liability law and what it means to the safety engineer and the organization developing the product or system.

Chapter 5 Developing System Safety Requirements (Gullo)

This chapter’s main emphasis is on developing safety requirements including why we need them and why they are so important. We discuss what requirements are and how they enter into various types of specifications. This chapter covers in detail how to develop good safety requirements and provides examples of both good and bad requirements.

Chapter 6 System Safety Design Checklists (Dixon)

This chapter introduces various types of checklists and why they are an important tool for the safety engineer. It covers procedural, observational, and design checklists and provides examples of each type. The uses of checklists are also discussed, and several detailed checklists are provided in the appendices of the book.

Chapter 7 System Safety Hazard Analysis (Dixon)

This chapter introduces some terminologies and discusses risk in detail as an introduction to hazard analyses. After that, it covers several of the most widely used hazard analysis techniques including preliminary hazard list, preliminary hazard analysis, subsystem hazard analysis, system hazard analysis, operating and support hazard analysis, and health hazard analysis. The chapter ends with a discussion of hazard tracking and its importance.

Chapter 8 Failure Modes, Effects, and Criticality Analysis for System Safety (Gullo)

This chapter describes how the Failure Modes and Effects Analysis (FMEA) and Failure Modes, Effects, and Criticality Analysis (FMECA) are useful for system safety analysis. It discusses various types of FMEAs including Design FMECA, Software Design FMECA, and Process Failure Modes, Effects, and Criticality Analysis (PFMECA) and how they may be applied in a number of flexible ways at different points in the system, hardware, and software development life cycle.

Chapter 9 Fault Tree Analysis for System Safety (Dixon)

Fault Tree Analysis (FTA) is covered in this chapter. It is a very popular type of analysis used in system safety. It is a representation in tree form of the combination of causes (failures, faults, errors, etc.) contributing to a particular undesirable event. It uses symbolic logic to create a graphical representation of the combination of failures, faults, and errors that can lead to the undesirable event being analyzed. The purpose of FTA is to identify the combinations of failures and errors that can result in the undesirable event. This chapter provides a brief history of the development of FTA and provides a detailed description of how the analyst creates and applies FTA.

Chapter 10 Complementary Design Analysis Techniques (Dixon)

This chapter covers several additional popular hazard analysis techniques including event trees, sneak circuit analysis, functional hazard analysis, barrier analysis, and bent pin analysis. It also provides brief introductions to a few additional techniques that are less often used including Petri nets, Markov analysis, management oversight risk tree, and system‐theoretic process analysis.

Chapter 11 Process Safety Management and Analysis (Dixon)

This chapter introduces Process Safety Management (PSM). It is an effort to prevent catastrophic accidents involving hazardous processes that involve dangerous chemicals and energies. It applies management principles and analytic techniques to reduce risks to processes during the manufacture, use, handling, storage, and transportation of chemicals. A primary focus of PSM is on hazards related to the materials and energetic processes present in chemical production facilities, but it can also be applied to facilities that handle flammable materials, high voltage devices, high current load devices, and energetic materials, such as rocket motor propellants. In this chapter we discuss the regulatory requirement for PSM, elements of PSM, hazard analysis techniques, and related regulations and end with a discussion of inherently safer design.

Chapter 12 System Safety Testing (Gullo)

In this chapter we discuss the purpose and importance of safety testing. The different types of safety tests are described along with the test strategy and test architecture. The development of safety test plans is covered. This chapter contains a section on testing for regulatory compliance and discusses numerous national and international standards. The topic of Prognostics and Health Monitoring (PHM) is introduced along with a discussion of the return on investment associated with PHM. We also discuss how to leverage reliability test approaches for safety testing. Safety test data collection is covered along with what to do with test results. The chapter is ended with a discussion on designing for testability and test modeling.

Chapter 13 Integrating Safety with Other Functional Disciplines (Gullo)

In this chapter, we cover several ways of integrating safety with other engineering and functional disciplines. We discuss the many key interfaces to system safety engineering, and we define the cross‐functional teams. We have touched on modern decision‐making in a digital world and on knowing who are your friends and your foes. The importance of constant communication is emphasized. We talk about a code of conduct and values. This chapter introduces paradigms from several different sources and how they relate to system safety and how their application can make you a better engineer and help make you and your organization more successful.

Chapter 14 Design for Reliability Integrated with System Safety (Gullo)

The integration with all functional disciplines is very important for effectively and efficiently practicing system safety engineering, but the most important of these functional discipline interfaces is the interface to reliability engineering. This chapter builds on and applies the lessons from Chapter 13 to establish a key interface with reliability engineering. In this chapter we discuss what reliability is and how it is intertwined with system safety. Specifically we discuss how system safety uses reliability data and how this data is used to help determine risk. We conclude the chapter with examples of using reliability data to design for safety.

Chapter 15 Design for Human Factors Integrated with System Safety (Dixon and Gullo)

In starting this chapter, we refer back to the previous two chapters where we discussed the ways system safety engineers should integrate and interface with other types of engineers and functional disciplines and, in particular, with reliability engineering. Another important engineering interface for a system safety engineer is Human Factors Engineering (HFE). System safety benefits greatly from a well‐established and reinforced interface to HFE. In this chapter we define HFE and its role in design of both hardware and software. We discuss the Human–Machine Interface (HMI), the determination of manpower and workload requirements, and how they influence personnel selection and training. We detail how human factors analysis is performed and how the various tools are used. Also discussed is how the human in the system influences risk, human error and its mitigation, and testing to validate human factors in design.

Chapter 16 Software Safety and Security (Gullo)

This chapter introduces the subjects of software safety and security. Many of today’s systems are software‐intensive systems, and it is necessary to analyze, test, and understand the software thoroughly to ensure a safe and secure system and to build system trust that the system always works as intended without fear of disruptions or undesirable outcomes. This chapter provides a detailed discussion of cybersecurity and software assurance. Next we discuss the basic software system safety tasks and how software safety and cybersecurity are related. Software hazard analysis tools are discussed along with a detailed discussion of Software FMECA. This chapter ends with a discussion of software safety requirements.

Chapter 17 Lessons Learned (Dixon, Gullo, and Raheja)

A lesson learned is the study of similar types of data and knowledge discovered from past events to prevent future traumatic recurrences or enable great successes. This chapter focuses on the importance of using lessons learned to prevent future accidents. It discusses the importance of capturing lessons learned and how to analyze failures to learn from them. We also discuss the importance of learning from successes and near‐misses. Throughout this chapter pertinent examples are provided along with analysis of why lessons learned are so important. We also cover the process of continuous improvement.

Chapter 18 Special Topics on System Safety (Gullo and Dixon)

This final chapter delves into several special topics and applications to consider in relation to the future of system safety. There is no better industry marketplace to address the future of system safety features than the commercial aviation and automobile industries. We examine the historical and current safety data of both industries to see what it tells us about the historical trends and the future probabilities of fatal accidents. We explore the safety design benefits from commercial air travel that could be leveraged by automobile manufacturers and developers of new ground transportation systems. This chapter also discusses future improvements in commercial space travel.