3/30/2016

eEdition Journal of System Safety

Volume42,No.3MayJune2006

Clif'sNotes
AShortHistoryofSystemSafety
byCliftonA.EricsonII
President'sMessage
FromtheEditor's
Desk
TBD
IntheSpotlight:
RiskCommunication
NonCoherentFault
TreesCanBe
Misleading
ChapterNews
TechnologyCorner
MarkYourCalendar
Clif'sNotes
Opinion
AboutthisJournal
Classifieds
AdvertisingineJSS
ContactUs
Puzzle

Fromthebeginningofmankind,safetyseems
tohavebeenaninherenthumangenetic
elementorforce.TheBabylonianCodeof
Hammurabistatesthatifahousefallsonits
occupantsandkillsthem,thenthebuildershall
beputtodeath.TheBibleestablishedasetof
rulesforeatingcertainfoods,primarilybecause
thesefoodswerenotalwayssafetoeat,given
thesanitaryconditionsoftheday.In1943,the
famouspsychologistAbrahamMaslow
proposedafivelevelhierarchyofbasichuman
needs,andsafetywasnumbertwoonhislist.
Systemsafetyisaspecializedextensionofour
driveforsafety.Thesystemsafetyconceptwas
nottheinventionofanyonepersonratherit
wasacallfromtheengineeringcommunity,
contractorsandthemilitarytodesignandbuild
safersystemsandequipmentbyapplyinga
formalproactiveapproach.Thisnewsafety
philosophyinvolvedusingsafetyengineering
technology,combinedwithlessonslearned.It
wasanoutgrowthofthegeneraldissatisfaction
withtheflyfixflyapproachtodesign(i.e.,fix
safetyproblemsafteramishaphasoccurred)
prevalentatthattime.Systemsafetyaswe
knowittodaybeganasagrassrootsmovementthatwasintroducedinthe1940s,gainedmomentum
duringthe1950s,becameestablishedinthe1960sandformalizeditsplaceintheacquisition
processduringthe1970s.
ThefirstformalpresentationofsystemsafetythatIhavebeenabletoidentifywasbyAmosL.Wood
atthe14thAnnualMeetingoftheInstituteofAeronauticalSciences(IAS)inNewYorkinJanuaryof
1946.Inapapertitled,"TheOrganizationofanAircraftManufacturer'sAirSafetyProgram,"Wood
emphasizedsuchnewandrevolutionaryconceptsas:
Continuousfocusonsafetyindesign
Advanceandpostaccidentanalysis
Safetyeducation
Accidentpreventivedesigntominimizepersonnelerrors
Statisticalcontrolofpostaccidentanalysis
Wood'spaperwasreferencedinanotherlandmarksafetypaperbyWilliamI.Stieglitztitled,
"EngineeringforSafety,"presentedinSeptemberof1946ataspecialmeetingoftheIASandfinally
printedintheIASAeronauticalEngineeringReviewinFebruaryof1948.Stieglitz'sfarsightedviews
onsystemsafetyareevidencedbythefollowingquotationsfromhispaper:

"Safetymustbedesignedandbuiltintoairplanes,justasareperformance,stability,and
structuralintegrity.Asafetygroupmustbejustasimportantapartofamanufacturer's
organizationasastress,aerodynamics,oraweightsgroup...."
"Safetyisaspecializedsubjectjustasareaerodynamicsandstructures.Everyengineer
cannotbeexpectedtobethoroughlyfamiliarwithalldevelopmentsinthefieldofsafetyany
morethanhecanbeexpectedtobeanexpertaerodynamicist."
"Theevaluationofsafetyworkinpositivetermsisextremelydifficult.Whenanaccidentdoes
notoccur,itisimpossibletoprovethatsomeparticulardesignfeaturepreventedit."

http://www.system-safety.org/ejss/past/novdec2006ejss/clifs.php

1/4

3/30/2016

eEdition Journal of System Safety

Theneedforsystemsafetywasoftenmotivatedbytheanalysis
andrecommendationsresultingfromaccidentinvestigations.For
example,onMay22,1958,theArmyexperiencedamajor
accidentataNIKEAJAXairdefensesitenearMiddletown,New
Jersey,thatresultedinextensivepropertydamageandlossof
livesofArmypersonnel.Thereviewcommitteerecommended
thatsafetycontrolthroughindependentreviewsandabalanced
technicalcheckbeestablished,andthatanauthoritativesafety
organizationbeestablishedtoreviewmissileweaponsystems
design.Basedontheserecommendations,aformalsystem
safetyorganizationwasestablishedatRedstoneArsenalinJuly
of1960,andAR38515,"SystemSafety"waspublishedin1963.
TheUSSOriskanyexplosivesmishaponOctober26,1966,and
theUSSForrestalexplosivesmishaponJuly29,1967,motivated
newsafetyprogramsandconceptsforNavyweaponsystems.
TheApollo1fireonJanuary27,1967,initiatednewsystem
safetypracticeswithinNASA.
TheAirForcewasanearlyleaderinthedevelopmentofsystem
safety.In1950,theUSAFDirectorateofFlightSafetyResearch
(DFSR)wasformedatNortonAirForceBaseinCalifornia.Itwasfollowedbytheestablishmentof
safetycentersfortheNavyin1955andtheArmyin1957.In1954,theDFSRbegansponsoringAir
Forceindustryconferencestoaddresssafetyissuesofvariousaircraftsubsystemsbytechnicaland
safetyspecialists.In1958,thefirstquantitativesystemsafetyanalysiseffortwasundertakenonthe
DynaSoarX20mannedspaceglider.
Theearly1960ssawmanynewdevelopmentsinsystemsafety.InJulyof1960,asystemsafety
officewasestablishedattheUSAFBallisticMissileDivision(BMD)inInglewood,California.BMD
facilitatedboththepaceanddirectionofsystemsafetyeffortswhenitpublished,inAprilof1962,the
firstsystemwidesafetyspecificationtitled,BSDExhibit6241,"SystemSafetyEngineering:Military
SpecificationfortheDevelopmentofAirForceBallisticMissiles."TheNavalAviationSafetyCenter
wasamongthefirsttobecomeactiveinpromotinganinterservicesystemsafetyspecificationfor
aircraft,BSDExhibit6282,modeledafterBSDExhibit6241.Inthefallof1962,theMinuteman
programdirector,inanothersystemsafetyfirst,identifiedsystemsafetyasacontractdeliverableitem
inaccordancewithBSDExhibit6282.
Thefirstformalsystemsafetyprogramplan(SSPP)foranactiveprogramwasdevelopedbythe
BoeingCompanyinDecemberof1960fortheMinutemanprogram.Thefirstmilitaryspecificationfor
safetydesignrequirements,MILS23069,"SafetyRequirements,Minimum,AirLaunchedGuided
Missiles,"wasissuedbytheBureauofNavalWeaponsonOctober31,1961.
In1963,theAerospaceSystemSafetySociety(nowtheinternationalSystemSafetySociety)was
foundedintheLosAngelesarea.In1964,theUniversityofSouthernCalifornia'sAerospaceSafety
DivisionbeganaMaster'sdegreeprograminAerospaceOperationsManagement,fromwhich
specificsystemsafetygraduatecoursesweredeveloped.In1965,theUniversityofWashingtonand
theBoeingCompanyjointlyheldthefirstofficialSystemSafetyConferenceinSeattle,Washington.
Bythistime,systemsafetyhadbecomefullyrecognizedandinstitutionalized.
Presently,theprimaryreferenceforsystemsafetyisMILSTD882,whichwasdevelopedforDoD
systems.ItevolvedfromBSDExhibit6241andMILS38130.BSDExhibit6241wasinitially
publishedinAprilof1962andagaininOctoberof1962itfirstintroducedthebasicprinciplesof
safety,butwasnarrowinscope.Thedocumentappliedonlytoballisticmissilesystems,andits
procedureswerelimitedtotheconceptualanddevelopmentphases"frominitialdesigntoand
includinginstallationorassemblyandcheckout."However,forthemostpart,BSDExhibit6241was
verythorough.Itdefinedrequirementsforsystematicanalysisandclassificationofhazards,aswell
asthedesignsafetyprecedenceusedtoday.Inadditiontoengineeringrequirements,BSDExhibit
6241alsoidentifiedtheimportanceofmanagementtechniquestocontrolthesystemsafetyeffort.
Theuseofasystemsafetyengineeringplanandtheconceptthatmanagerialandtechnical
proceduresusedbythecontractorweresubjecttoapprovalbytheprocuringauthorityweretwokey
elementsindefiningthesemanagementtechniques.
InSeptemberof1963,theUSAFreleasedMILS38130.Thisspecificationbroadenedthescopeof
oursystemsafetyefforttoinclude"aeronautical,missile,space,andelectronicsystems."This
increaseofapplicablesystemsandtheconcept'sgrowthtoaformalmilitaryspecification(MilSpec)
wereimportantelementsinthegrowthofsystemsafetyduringthisphaseofevolution.Additionally,
MILS38130refinedthedefinitionsofhazardanalysis.Theserefinementsincludedsystemsafety
analyses:systemintegrationsafetyanalyses,systemfailuremodeanalysesandoperationalsafety
analyses.Theseanalysesstillresultedinthesameclassificationofhazards,buttheprocuringactivity
wasgivenspecificdirectiontoaddresscatastrophicandcriticalhazards.
InJuneof1966,MILS38130wasrevised.RevisionAtothespecificationonceagainexpandedthe
scopeofthesystemsafetyprogrambyaddingasystemmodernizationandretrofitphasetothe
conceptualphasedefinition.Thisrevisionfurtherrefinedtheobjectivesofasystemsafetyprogram
byintroducingtheconceptof"maximumsafetyconsistentwithoperationalrequirements."Onthe
engineeringside,MILS38130Aalsoaddedanothersafetyanalysis:theGrossHazardStudy(now
knownasthePreliminaryHazardAnalysis).Thiscomprehensivequalitativehazardanalysiswasan
attempttofocusattentiononsafetyrequirementsearlyintheconceptphaseandwasabreakfrom
othermathematicalprecedence.Butchangeswerenotjustlimitedtointroducingnewanalysesthe
scopeofexistinganalyseswasexpandedaswell.Oneexampleofthiswastheoperatingsafety
analyses,whichwouldnowalsoincludesystemtransportationandlogisticssupportrequirements.
Theengineeringchangesinthisrevisionweren'ttheonlysignificantchanges.Management
considerationswerehighlightedbyemphasizingmanagement'sresponsibilitytodefinethefunctional
relationshipsandlinesofauthorityrequiredto"assureoptimumsafetyandtoprecludethe
degradationofinherentsafety."Thiswasthebeginningofaclearfocusonmanagementcontrolof
thesystemsafetyprogram.
MILS38130AservedtheUSAFwell,allowingtheMinutemanprogramtocontinuetoprovethe
worthofthesystemsafetyconcept.ByAugustof1967,atriservicereviewofMILS38130Abegan

http://www.system-safety.org/ejss/past/novdec2006ejss/clifs.php

2/4

3/30/2016

eEdition Journal of System Safety

toproposeanewstandardthatwouldclarifyandformalizetheexistingspecification,aswellas
provideadditionalguidancetoindustry.Bychangingthespecificationtoastandard,therewouldbe
increasedprogramemphasisandaccountability,resultinginimprovedindustryresponsetosystem
safetyprogramrequirements.Specificobjectivesofthisrewriteincludedobtainingasystemsafety
engineeringplanearlyinthecontractdefinitionphase,andmaintainingacomprehensivehazard
analysisthroughoutthesystem'slifecycle.
InJulyof1969,MILSTD882waspublisheditwastitled,"SystemSafetyProgramforSystemsand
AssociatedSubsystemsandEquipment:RequirementsFor."Thislandmarkdocumentcontinuedthe
emphasisonmanagement,andcontinuedtoexpandthescopeofsystemsafetythatwouldapplyto
allmilitaryservicesintheDoD.Thefulllifecycleapproachtosystemsafetywasalsointroducedat
thistime.Theexpansioninscoperequiredareworkingofthesystemsafetyrequirements.The
resultwasaphaseorientedprogramthattiedsafetyprogramrequirementstothevariousphases
consistentwithprogramdevelopment.Thisapproachtoprogramrequirementswasamarked
contrasttoearlierguidance,andthedetailprovidedtothecontractorwasgreatlyexpanded.Since
MILSTD882appliedeventosmallprograms,theconceptoftailoringwasintroducedandallowed
theprocuringauthoritysomelatitudeinrelievingsomeoftheburdenoftheincreasednumberand
scopeofhazardanalyses.Sinceitsadvent,MILSTD882hasbeentheprimaryreferencedocument
forsystemsafety.
ThebasicversionofMILSTD882lasteduntilJuneof1977,whenMILSTD882Awasreleased.The
majorcontributionofMILSTD882Acenteredontheconceptofriskacceptanceasacriterionfor
systemsafetyprograms.Thisevolutionrequiredintroductionofhazardprobabilityandestablished
categoriesforfrequencyofoccurrencetoaccommodatethelongstandinghazardseverity
categories.Inadditiontotheseengineeringdevelopments,themanagementsidewasalsoaffected.
Theresponsibilitiesofthemanagingactivitybecamemorespecificasmoreemphasiswasplacedon
contractdefinition.
InMarchof1984,MILSTD882Bwaspublished,anditcontainedamajorreorganizationoftheA
version.Again,theevolutionofdetailedguidanceinbothengineeringandmanagementrequirements
wasevident.Thetaskofsortingthroughtheserequirementswasbecomingcomplex,andmore
discussionontailoringandriskacceptancewasexpanded.Moreemphasisonfacilitiesandoffthe
shelfacquisitionwasadded,andsoftwarewasaddressedinsomedetailforthefirsttime.The
additionofNotice1toMILSTD882BinJulyof1987expandedsoftwaretasksandthescopeofthe
treatmentofsoftwarebysystemsafety.
InJanuaryof1993,MILSTD882Cwaspublished.Itsmajor
changewastointegratethehardwareandsoftwaresystem
safetyefforts.Theindividualsoftwaretaskswereremoved,so
thatasafetyanalysiswouldincludeidentifyingthehardwareand
softwaretaskstogetherinasystem.InJanuaryof1996,Notice1
waspublishedtocorrectsomeerrorsandtorevisetheDataItem
Descriptionsformoreuniversalusage.
Inthemid1990s,theDoDacquisitionreformmovementbegan,
alongwiththeMilitarySpecificationsandStandardsReform
(MSSR)initiative.Thesetwomovementsledtothecreationofa
standardpracticeforsystemsafetyinMILSTD882D,released
inFebruaryof2000.Underacquisitionreform,program
managersaretospecifysystemperformancerequirementsand
leavethespecificdesigndetailsuptothecontractor.Inaddition,
theuseofmilitaryspecificationsandstandardswillbekepttoa
minimum.Onlyperformanceorientedmilitarydocumentsare
permitted.Otherdocuments,suchascommercialitem
descriptionsandindustrystandards,aretobeusedforprogram
details.MILSTD882wasconsideredtobeimportantenough
thatitwasallowedtocontinue,aslongasitwasconvertedtoaperformanceorientedmilitary
standard.UntilMILSTD882Dwaspublished,theDoDstandardizationcommunitycontinuedtoallow
theuseofMILSTD882C,butaDepartmentoftheNavy(DON)waiveralloweditsusebyDON
programmanagers.Conversely,acontractorcouldfreelyusethestandardwithoutanywaivers.
OnceMILSTD882DwaspublishedasaDoDStandardPracticeinFebruaryof2000,itsusedidnot
requireanywaivers.
FaultTreeAnalysisHistory
In1961,H.A.WatsonandA.B.MearnsofBellLaboratoriesconceivedtheFaultTreeAnalysis(FTA)
conceptwhileperformingasafetystudyoftheMinutemanLaunchControlSystemfortheU.S.Air
Force.Thepurposeoftheirstudywastodemonstrateasafelaunchcontrolsystemdesignhowever,
itevolvedintoamethodologyforaccomplishingthisobjective.DaveHaasl,thenattheBoeing
CompanyontheMinutemanprogram,recognizedthevalueofFTAasanoverallsystemsafetytool
heledateamthatappliedFTAtotheentireMinutemanMissileSystem.TheMinutemanprogram
usedFTAtoevaluatesuchundesiredeventsasinadvertentprogrammedlaunchandinadvertent
motorignitiontoquantitativelydemonstratethatthedesignprovidedacceptablerisklevelsforthese
potentialmishaps.
ThecommercialaircraftdivisionofBoeingsawtheresultsfromtheMinutemanprogramandquickly
beganusingFTAduringthedesignofcommercialaircraft.In1965,BoeingandtheUniversityof
WashingtonsponsoredthefirstSystemSafetyConference.Atthisconference,thefirsteverpapers
werepresentedonFTA,markingthebeginningofworldwideinterestinthesubject.
In1966,BoeingdevelopedacomputerfaulttreesimulationprogramcalledBACSIM(Boeing
AerospaceCorporationSimulation)fortheevaluationofmultiphasefaulttrees.BACSIMcould
handleupto12operationalphases,andincludedthecapabilityforrepairandKfactoradjustmentof
failurerates.TheBACSIMcodewasdevelopedbyBobSchroederandPhyllisNagelofBoeing.Bob
SchroederalsodevelopedacomputercodethatplottedfaulttreesonaCalcomp26inchwideroll
plotter.BothprogramsranonanIBM370mainframe.ThesewerespecializedBoeinginhouse
programs,whichfewpeoplewereawareofoutsidethecompany.

http://www.system-safety.org/ejss/past/novdec2006ejss/clifs.php

3/4

3/30/2016

eEdition Journal of System Safety

Followingtheleadoftheaerospaceindustry,thenuclearpowerindustrydiscoveredthevirtuesand
benefitsofFTA,andbeganusingthetoolinthedesignanddevelopmentofnuclearpowerplants.
Manykeyindividualsinthenuclearpowerindustrycontributedtoadvancingfaulttreetheoryandfault
treealgorithmsandcomputercodes.Infact,thenuclearpowerindustrymayhavecontributedmore
tothedevelopmentofFTAthananyotherusergroup.Manynewevaluationalgorithmswere
developed,alongwithsoftwareimplementingthesealgorithms,suchasMOCUS,Prepp/Kitt,SETS,
FTAP,ImportanceandCOMCAN.
FTAhasalsobeenappliedtothechemicalprocessindustry,theautoindustry,railtransportation,
launchvehiclesandspacecraft,theaerospaceindustryandtheroboticsindustry,justtonameafew.
ThereareprobablymanyotherindustriesanddisciplinesusingFTAthathavenotbeenmentioned
here.OneofthemorerecentimportanteventsintheFTAmethodologyhasbeenthedevelopmentof
commercialfaulttreeconstructionandevaluationsoftwarethatoperatesonpersonaldesktop
computers.Thishasprovidedgreatflexibilityandutilityforthesafetyanalyst.
SoftwareSafetyHistory
Thesoftwaresafetyaspectofsystemsafetybeganintheearly1970s.In1974,Iperformedmyfirst
softwaresafetyanalysisatBoeingontheB1AOffensiveAvionics(Weapon)System.Theanalysis
wasaContractDataRequirementListitemcontractedforbytheAirForce.
TheearliestcitationsIhavelocatedforanythingresemblingsoftwaresafetyincludethefollowing:
1."TheRoleofSystemSafetyinSoftware,"R.T.LeBon&T.L.Fagan,AIAAAerospace
ComputerSystemsConference,September1969,pages15.
2."HazardAnalysisforSoftwareSystems,"O.C.Lindsey,ThirdInternationalSystemSafety
Conference,October1977,pages907918.
ThefirstformaltechnicalpapersonsoftwaresafetywerepresentedattheFifthInternationalSystem
SafetyConferencein1981.Itwasatthispointthatsoftwaresafetybecameanofficiallyrecognized
termrelatingtothedisciplineandthemethodology.Thesoftwaresafetypapersatthisconference
included:
1."SoftwareSystemSafety,"E.S.DeanJr.,FifthInternationalSystemSafetyConference,July
1981,pagesA1A8.
2."SoftwareandSystemSafety,"C.A.EricsonII,FifthInternationalSystemSafetyConference,
July1981,pagesB1B11.
3."AMethodofSoftwareSafetyAnalysis,"J.G.GriggII,FifthInternationalSystemSafety
Conference,July1981,pagesD1D18.
4."SoftwareSafetyfromaSoftwareViewpoint,"N.G.Leveson,FifthInternationalSystem
SafetyConference,July1981,pagesE1E20.
Since1981,softwaresafetyhasbecomeaburgeoningfield,repletewithamultitudeoftechnical
papers,articles,guidancedocumentsandbooksonthesubject.Dr.NancyLevesonlaterbecamea
subjectmatterexpertonsoftwaresafety,andherresearchwhileattheUniversityofWashington
helpedpromulgatethesoftwaresafetyconceptthroughthemanywellarticulatedtechnicalarticles
sheproduced.
Muchofthishistoricalbackgroundwascombinedfrominformationobtainedfromthefollowing
sources:
1.AirForceSystemSafetyHandbook,2000.
2.MILHDBK764,SystemSafetyEngineeringDesignGuideforArmyMateriel,1990.
3.NAVSEASW020AHSAF010,WeaponSystemSafetyGuidelinesHandbook,2005.
4.NAVORDOD44942,WeaponSystemSafetyGuidelinesHandbook,1973.
5."FaultTreeAnalysisAHistory,"byCliftonA.EricsonII,Proceedingsofthe17thInternational
SystemSafetyConference,1999,pages8796.
Pleasesendmeyourcommentsandletmeknowifyouagreeordisagreewiththishistorical
background.Thereisprobablymuchimportanthistorythatcanbeaddedtotheknowledgepresented
here.
Regards,
Clif
cliftonericson@cs.com
Copyright2006byCliftonA.EricsonII.Allrightsreserved.

Copyright2006bytheSystemSafetySociety.Allrightsreserved.ThedoublesigmalogoisatrademarkoftheSystemSafetySociety.Othercorporateortradenamesmaybetrademarksorregistered
trademarksoftheirrespectiveholders.

http://www.system-safety.org/ejss/past/novdec2006ejss/clifs.php

4/4