Modeling the Propagation of Failures in Software Driven Hardware Systems to Enable Risk-Informed Design

Software-driven hardware configurations account for the majority of modern complex systems. The often costly failures of such systems can be attributed to software specific, hardware specific, or software/hardware interaction failures. The understanding of the propagation of failures in a complex system is critical because, while a software component may not fail in terms of loss of function, a software operational state can cause an associated hardware failure. The least expensive phase of the product life cycle to address failures is during the design stage. This results in a need to evaluate how a combined software/hardware system behaves and how failures propagate from a design stage analysis framework. Historical approaches to modeling the reliability of these systems have analyzed the software and hardware components separately. As a result significant work has been done to model and analyze the reliability of either component individually. Research into interfacing failures between hardware and software has been largely on the software side in modeling the behavior of software operating on failed hardware. This paper proposes the use of high-level system modeling approaches to model failure propagation in combined software/hardware system. Specifically, this paper presents the use of the Function-Failure Identification and Propagation (FFIP) framework for system level analysis. This framework is applied to evaluate nonlinear failure propagation within the Reaction Control System Jet Selection of the NASA space shuttle, specifically, for the redundancy management system. The redundancy management software is a subset of the larger data processing software and is involved in jet selection, warning systems, and pilot control. The software component that monitors for leaks does so by evaluating temperature data from the fuel and oxidizer injectors and flags a jet as having a failure by leak if the temperature data is out of bounds for three or more cycles. The end goal is to identify the most likely and highest cost paths for fault propagation in a complex system as an effective way to enhance the reliability of a system. Through the defining of functional failure propagation modes and path evaluation, a complex system designer can evaluate the effectiveness of system monitors and comparing design configurations.

Visibility Analysis of Vehicles and Mobile Equipment: A Design and Forensic Method

Trucks, cars, buses, trains and construction machinery often come into contact with people and objects. An issue that naturally arises during the vehicle design phase or after a vehicle accident is the available visibility from the operator’s station. A method is needed that allows acquisition of data that can be translated into a format understood by both technical and non-technical users.

Validity of Assessment Procedure in p-M Method for Multiple Volumetric Flaws

General components such as pressure vessels, piping, storage tanks and so on are designed in accordance with the construction codes based on the assumption that there are no flaws in such components. There are, however, numerous instances in which in-service single or multiple volumetric flaws (local thin areas; volumetric flaws) are found in the equipment concerned. Therefore, it is necessary to establish a Fitness for Service (FFS) rule, which is capable of judging these flaws. The procedure for a single flaw or multiple flaws has recently been proposed by Konosu for assessing the flaws in the p–M (pressure-moment) Diagram, which is an easy way to visualize the status of the component with flaws simultaneously subjected to internal pressure, p and external bending moment, M due to earthquake, etc. If the assessment point (Mr, pr) lies inside the p–M line, the component with flaws is judged to be safe. In this paper, numerous experiments and FEAs for a cylinder with external multiple volumetric flaws were conducted under (1) pure internal pressure, (2) pure external bending moment, and (3) subjected simultaneously to both internal pressure and external bending moment, in order to determine the plastic collapse load at volumetric flaws by applying the twice-elastic slope (TES) as recommended by ASME. It has been clarified that the collapse (TES) loads are much the same as those calculated under the proposed p–M line based on the measured yield stress.

Heavy Truck and Bus Brake Testing: The Development and Use of a Forensic Tool

After an accident it is often necessary to check the brake push rod stroke adjustment and pneumatic integrity of the brake system of a truck or bus. In many instances, due to the traumatic accident damage, the brake system may not be able to be tested/checked by the conventional means. Test methods used at the scene of an accident may compromise or influence the brake stroke adjustment levels. A tool has been developed which eliminates these issues. This tool, when used to test air brakes (push-rod stroke) on a heavy truck or bus, will eliminate the common problems and difficulties that occur during brake stroke adjustment testing in a post-accident situation. • Checking brake push rod stroke with improper air pressure levels; • System leaks creating measurement inaccuracies; • Parking brake release issues; • System interruption due to traumatic accident damage. By using this tool an engineer can determine the brake push rod stroke adjustment level or diagnose a system failure in an efficient and nondestructive manner, by minimizing the alteration of post-accident conditions.

Calculating Outcrossing Rates Used in Decision Support Systems for Ships

Onboard decision support systems (DSS) are used to increase the operational safety of ships. Ideally, DSS can estimate — in the statistical sense — future ship responses on a time scale of the order of 1–3 hours taking into account speed and course changes. The calculations depend on both operational and environmental parameters that are known only in the statistical sense. The present paper suggests a procedure to incorporate random variables and associated uncertainties in calculations of outcrossing rates, which are the basis for risk-based DSS. The procedure is based on parallel system analysis, and the paper derives and describes the main ideas. The concept is illustrated by an example, where the limit state of a non-linear ship response is considered. The results from the parallel system analysis are in agreement with corresponding Monte Carlo simulations. However, the computational speed of the parallel system analysis proved slower than expected. Moreover, it is important that the failure surface of the limit state is smooth, otherwise the parallel system analysis may not be applicable.

On the Effect of Roller Materials on the Power Window Mechanism From a Tribological Perspective

This study serves to delineate the effects of material on the lifespan of a polymeric roller rubbing against a steel wire. Four materials, namely nylon, polyester, borosilicate glass and epoxy are the manipulated variables in conducting a simulation with a steel wire. A block-on-ring machine was used to conduct the tribo-experiments under dry contact condition. In concurrence with average operating conditions, the machine was set to 0.15 m/s sliding velocity, at an applied load of 10 N. Worn surfaces of the polymer were subsequently studied under optical microscopy. Frictional and wear resistance results were presented versus time for a predetermined duration. There is a strong correlation between the wear resistance and material hardness but the contrary is found with elongation at break. Findings revealed better wear resistance in epoxy due to its higher hardness. The improvement attained with reference to nylon was approximately 68%. The optical images of worn surfaces which sustained scratches and grooves implied that the contact mechanism was that of abrasion.

Hazard Analysis and Risk Assessment for the Operators of Stand-Up Forklifts

Past studies have indicated that the greatest risk that a forklift operator faces is the hazard of an overturning forklift crushing the operator. This conclusion has been developed largely based on accident experience with sit-down forklifts. In contrast, this paper examines a data set of approximately 3,000 stand-up lift truck accidents (rather than sit-down forklifts) and finds that the operator of a stand-up lift truck is at greater risk of being involved in a collision with a stationary object than at risk for an accident involving the stability of the forklift. Greater than 50% of the approximately 3,000 accidents studied involved a collision between a stand-up forklift and a stationary object, resulting in approximately 700 serious injuries and 22 deaths of stand-up forklift operators. This paper will also identify the hazards associated with the use of stand-up lift trucks and the statistical likelihood of the hazard based on the approximately 3,000 accident data set.

A Methodology for Identifying Hardware States and Requirements to Ensure System Reliability and Success in Software-Hardware Systems

Software and hardware elements in software-driven complex systems are often designed independent from one another, and merged later. The problem with this design approach is that the requirements that involve hardware and software dependencies are not taken into consideration effectively, potentially causing the system to fail or be in an undesirable state. This research argues that, by considering software and hardware requirements together from the earliest design stages, a more reliable system will be designed by knowing the possible failure situations that may occur. In order to increase the reliability of the final system, this paper introduces a methodology to follow the software-hardware system as it completes a command and identifies the failure situations that may occur and the requirements needed to ensure successful completion of the command. The overall goal is to provide designers with an integrated design methodology to capture safety, reliability, and mission success related requirements in software-driven complex hardware systems. The benefits of the methodology are illustrated and the steps demonstrated using NASA’s K10 Rover as an example. The methodology is applied to the command of Move Rover, with the software and hardware interactions that may cause failures clearly identified in the model. Specifically, the hardware and software states that would allow for correct operation of the command are identified and clearly displayed on the model. The visual model and requirements that are developed can be used by the designers of the software to ensure mission success.

Deterministic Risk Methodology for Road Tunnels

The definition of the deterministic approach in safety analyses arises from the need to understand the conditions that emerge during a fire accident in a road tunnel. The key factor of the tunnel operations during the fire is the ventilation, which during the initial phases of the fire have a strong impact on the evacuation of people and later on the access of the intervention units in the tunnel. The paper presents the use of the CFD model in the tunnel safety assessment process. The set-up of the initial and boundary conditions and the requirement for grid density found from validation tests of an FDS (Fire Dynamics Simulator) is used to prepare three kinds of fire scenarios, 20MW, 50MW and 100MW, with different ventilation conditions; natural, semi transverse, transverse and longitudinal ventilation. The observed variables, soot density and temperature, are presented in minutes time steps through the entire tunnel length. Comparing the obtained data in a table allows the analyses of the ventilation conditions for different heat releases from fires. The second step is to add additional criteria of human behaviour inside the tunnel (evacuation) and human resistance to the elevated gas concentrations and temperature. What comes out is a fully deterministic risk matrix that is based on the calculated data where the risk is ranged on five levels, from the lowest to a very dangerous level. The deterministic risk matrix represents the alternative to a probabilistic safety assessment methodology, wherein the fire risk is represented in detail and the CFD (Computational Fluid Dynamics) model results are physically correct.

Jacket Elastic Drawstring Toggle Safety Analysis

This paper addresses the eye impact hazard associated with a jacket elastic drawstring toggle which temporarily catches on an object and then releases. Approaches utilized in this safety analysis include an accident statistics survey, literature review, risk-utility analysis, and evaluation of alternative jacket drawstring technology. A variety of drawstring design alternatives are explored for accident prevention while achieving jacket function and aesthetic goals.