390 likes | 612 Views
Surety Science and Engineering Expo and Methodology for Developing New Surety Programs Pace VanDevender Sandia Surety Leadership Team Sandia National Laboratories. Surety Science and Engineering. Provides: Reliability in normal circumstances Safety in abnormal environments
E N D
Surety Science and Engineering Expo and Methodologyfor Developing New Surety ProgramsPace VanDevenderSandia Surety Leadership TeamSandia National Laboratories
Surety Science and Engineering Provides: • Reliability in normal circumstances • Safety in abnormal environments • Security and Use Control in malevolent circumstances
We need fundamental insights to guide the solution of surety problems. Mechanical Design Screw, Inclined Plane, Lever, Pulley, etc. Physics Mass, Distance, Velocity, Acceleration, Momentum, Force, Energy Surety Science & Engineering 4 Levels 8 Approaches
Complex enterprises have Degrees of Aggregation. Judgment on the next best target for improving the overall surety The higher the degree of aggregation, the greater the intrinsic ambiguity and lower the level of intrinsic surety. Defense Establishment Services Weapon Platforms Weapon Systems Subsystems Components The methodology is appropriate to each degree of aggregation of complex enterprises.
Surety comes in four levels. I. Working Sufficiently as Expected and Buying Insurance to Cover Upsets II. Surety by Proactive Human Intervention III. Surety by Positive Measures from Science and Engineering IV. Surety from Laws of Nature and Mathematics The next right level for a particular application depends on the cost and benefit of improvement.
Eight approaches for improving surety support the four levels of surety.
Level I. Working Sufficiently as Expected and Buying Insurance to Cover the Upsets • System designed for reliable operation • No special consideration of off-normal conditions • Insure against most upsets • Reactive response to mitigate consequences • Rely upon foresight to ensure surety • Most industrial applications • Highway safety • Reliability of consumer products • Home and school safety and security
INSURANCE WARRANTIES Level I: Surety by everything working sufficiently as intended Approach 1. Reliance on foresight of designers and good practices of people. • Design and manufacturing of most consumer products • Nuclear Nonproliferation in India and Pakistan (mistake at Level I)
Indicate the degree to which Recommendations 1 and 2 illustrate the approach in the title. • Anonymous electronic polling • Recommendation 1 • 1 Very Little • 2 Little • 3 Moderate • 4 Much • 5 Very Much Stylus SHARE On Send
Corrective Action Lessons Learned Investigations Response Teams Level I: Surety by everything working sufficiently as intended Approach 2. Mitigation after the fact by coordinated emergency response and correcting what went wrong. To what degree are these based on Approach 2? Rec. 1. Investigations of airline and nuclear reactor incidents and accidents and retrofit of units or systems to correct faults. Rec. 2. School security Approach 1. Reliance on foresight of designers and good practices of people.
Corrective Action Lessons Learned Investigations Response Teams Level I: Surety by everything working sufficiently as intended Approach 2. Mitigation after the fact by coordinated emergency response and correcting what went wrong. To what degree are these based on Approach 2? Rec. 1. Investigations of airline and nuclear reactor incidents and accidents and retrofit of units or systems to correct faults. Rec. 2. School security Approach 1. Reliance on foresight of designers and good practices of people.
Level II. Surety by Proactive Human Intervention • System designed with human actions to help ensure surety • A plan in place relying upon human actions to control the environment for the operation, to perform the operation reliably, and to respond in case of emergency • Most aircraft safety • Most military operations
Attributes can identify current Level II surety. • Organizational culture – attitudes of the organization and workforce • Oversight – review of design and operations • Performance – personnel skills, knowledge, and experience • Operational controls – procedures and other measures used by personnel in performing operations • Environmental controls – human initiated controls implemented to control the environment under which the operation is performed • Emergency response – personnel response to emergency situations
Varying manifestations of Level II attributes define three sublevels.
Predictive Understanding Systemic Analysis Training & Simulations Computer Simulation Validated Data Bases Level II: Surety by proactive human intervention Approach 3. Surety is maintained by proper operations with thorough science-based understanding, independent assessment, and continuous improvement. Rec. 1. Design-deploy-fix debugging of software Rec. 2. Continual simulator training and flight requalification of airline pilots To what degree are these based on Approach 3? Approach 2. Mitigation after the fact by coordinated emergency response and correcting what went wrong.
Predictive Understanding Systemic Analysis Training & Simulations Computer Simulation Validated Data Bases Level II: Surety by proactive human intervention Approach 3. Surety is maintained by proper operations with thorough science-based understanding, independent assessment, and continuous improvement. Rec. 1. Design-deploy-fix debugging of software Rec. 2. Continual simulator training and flight requalification of airline pilots To what degree are these based on Approach 3? Approach 2. Mitigation after the fact by coordinated emergency response and correcting what went wrong.
Prevention Diagnostics Control Systems Preventive Action Person-in-the-Loop Level II: Surety by proactive human intervention Approach 4. Administrative controls reduce the probability of deleterious environment occurring. To what degree are these based on Approach 4? Rec. 1. Humans diagnosing and disarming terrorist bombs. Rec. 2. X-ray and metal screening at airports Approach 3. Surety is maintained by proper operations with thorough science-based understanding, independent assessment, and continuous improvement.
Prevention Diagnostics Control Systems Preventive Action Person-in-the-Loop Level II: Surety by proactive human intervention Approach 4. Administrative controls reduce the probability of deleterious environment occurring. To what degree are these based on Approach 4? Rec. 1. Humans diagnosing and disarming terrorist bombs. Rec. 2. X-ray and metal screening at airports Approach 3. Surety is maintained by proper operations with thorough science-based understanding, independent assessment, and continuous improvement.
Level II often has problems. Process-response times too long. People make errors.
Level III. Surety by Positive Measures from Science and Engineering • Engineering and scientific measures in place to control the environment for the operation, to ensure reliable performance, and to respond in case of emergency • Nuclear Reactors • Ballistic Missile Defense • Self-healing Telecommunication Routers • Nuclear Weapons without modern safety features
Attributes can identify Level III surety. • Predictability – degree of assured performance given implementation of engineered and scientific measures • Range of effectiveness – range of situations over which given measures are effective • Theme and reliance on principles – development of a surety theme and the principles upon which the theme rests • Design implementation – implementation of scientific and engineered measures into the theme • Environmental controls – scientific and engineered measures to ensure control of the operational environment • Emergency response – technology and its availability to support emergency response.
Varying manifestations of Level III attributes define three sublevels.
Prevention Diagnostics Control Systems Preventive Action Automated Autonomous Level III: Surety by positive measures of science and engineering Approach 4.5 Engineered controls reduce the probability of deleterious environment occurring. To what degree are these based on Approach 4.5? Rec. 1. Automated autonomous controls of the electric power grid Rec. 2. Human Controlled operation of the electric power grid Approach 4. Administrative controls reduce the probability of deleterious environment occurring.
Prevention Diagnostics Control Systems Preventive Action Automated Autonomous Level III: Surety by positive measures of science and engineering Approach 4.5 Engineered controls reduce the probability of deleterious environment occurring. To what degree are these based on Approach 4.5? Rec. 1. Automated autonomous controls of the electric power grid Rec. 2. Human Controlled operation of the electric power grid Approach 4. Administrative controls reduce the probability of deleterious environment occurring.
90% Loading to Failure Level III: Surety by positive measures of science and engineering Approach 5. All relevant positive measures are necessary for success. To what degree are these based on Approach 5? Rec. 1. Automated breathalyzer and alcohol blood monitors that enable someone to start a car Rec. 2. One intercept in a ballistic missile defense Approach 4.5 Engineered controls reduce the probability of deleterious environment occurring.
90% Loading to Failure Level III: Surety by positive measures of science and engineering Approach 5. All relevant positive measures are necessary for success. To what degree are these based on Approach 5? Rec. 1. Automated breathalyzer and alcohol blood monitors that enable someone to start a car Rec. 2. One intercept in a ballistic missile defense Approach 4.5 Engineered controls reduce the probability of deleterious environment occurring.
1 2 3 4 Mission Success Level III: Surety by positive measures of science and engineering Approach 6. Only one of many positive measures is necessary for success. Rec. 1. Gas, air, compression, and spark in internal combustion engine Rec. 2. Multi-tier ballistic missile defense To what degree are these based on Approach 6? Approach 5. Predictable independent parallel positive measures--all must succeed.
1 2 3 4 Mission Success Level III: Surety by positive measures of science and engineering Approach 6. Only one of many positive measures is necessary for success. Rec. 1. Gas, air, compression, and spark in internal combustion engine Rec. 2. Multi-tier ballistic missile defense To what degree are these based on Approach 6? Approach 5. All positive measures are necessary for success.
Mission Success START Level III: Surety by positive measures of science and engineering Approach 6. Only one of many positive measures is necessary for success. Another type of Approach 6 • Internet Connectivity • Coolant and Loss-of-Coolant systems in nuclear reactors
Comparator Predictable Interventions Input Output Level III: Surety by positive measures of science and engineering Approach 7. Predictable cumulative/comparative/adaptive positive measures. To what degree are these based on Approach 7? Rec. 1. Space shuttle computers voting to assure 2 of the 3 give same answer before acting. Rec. 2. Redundant components for reliability Approach 6. Only one of many positive measures is necessary for success.
Comparator Predictable Interventions Input Output Level III: Surety by positive measures of science and engineering Approach 7. Predictable cumulative/comparative/adaptive positive measures. To what degree are these based on Approach 7? Rec. 1. Space shuttle computers voting to assure 2 of the 3 give same answer before acting. Rec. 2. Redundant components for reliability Approach 6. Only one of many positive measures is necessary for success.
Level III can have problems. Designs age or are flawed, software has bugs, hardware fails, and sequences unfold in unexpected and escalating ways.
Level IV. Surety from Laws on Nature and Mathematics • Relying--to the extent possible--only on the laws of nature and mathematics to provide predictable, sure performance • The long term goal of surety science and engineering. • Flawless foresight difficult to achieve • Sublevels from First Deployment to ideal of Absolute Surety • Periodic “clean-sheet” surety assessments performed to uncover any new vulnerabilities.
Attributes identify Level IV surety. • Reliance upon laws of nature and mathematics • Principles-based design to approach physical impossibility of undesired consequences • Continuous assessment to strive for absolute surety • to identify and respond to changes in the system or challenges to surety • to ensure design principles are maintained over the life of the system • to broaden understanding of performance of the system over the entire range of circumstances that may be present • to obtain utmost confidence and predictability in system surety
Precluded High Consequences Chemistry Physics Permitted Operations Material Science Level IV: Surety by laws of nature and mathematics Approach 8. Rely as much as possible upon laws of nature to approach physical impossibility of high consequences. Rec. 1. Anti-lock brakes Rec. 2. Hang glider air foil that becomes a parachute instead of stalling To what degree are these based on Approach 8? Approach 7. Predictable cumulative/comparative/adaptive positive measures.
Precluded High Consequences Chemistry Physics Permitted Operations Material Science Level IV: Surety by laws of nature and mathematics Approach 8. Rely as much as possible upon laws of nature to approach physical impossibility of high consequences. Rec. 1. Anti-lock brakes Rec. 2. Hang glider air foil that becomes a parachute instead of stalling To what degree are these based on Approach 8? Approach 7. Predictable cumulative/comparative/adaptive positive measures.
Contributing Solutions to Many National Challenges 4 Levels of Surety and 8 Fundamental Approaches for Improving 19 Best Practices in Reliability, Safety, and Security & Use Control We are going beyond our best practices to create Surety Science and Engineering. Surety Methodology
Summary of Levels and Approaches Surety by Everything Working Sufficiently as Intended I:1. Foresight and good practices I:2. Mitigation after the fact and correcting what went wrong Surety by Proactive Human Intervention II:3. Proper operations with thorough understanding, independent assessment, and continuous improvement II:4. Administrative control reduces the probability of occurrence Surety by Positive Measures from Science and Engineering III:4.5 Engineered controls reduce the probability of occurrence III:5. Predictable parallel positive measures--all must succeed III:6. Predictable independent serial positive measures--one must succeed III:7. Predictable cumulative/comparative/adaptive positive measures Surety from Laws on Nature and Mathematics IV:8. Undesirable consequences are physically impossible.