the illusion of method challenges of model based safety
play

The Illusion of Method: Challenges of Model-Based Safety Assessment - PowerPoint PPT Presentation

Oct 28, 2023 •16 likes •196 views

The Illusion of Method: Challenges of Model-Based Safety Assessment Oleg Lisagor Linling Sun Tim Kelly Overview Why do we trust safety assessment? Why do we trust FTA? Can we trust current MBSA techniques on the same basis? What do we need

  1. The Illusion of Method: Challenges of Model-Based Safety Assessment Oleg Lisagor Linling Sun Tim Kelly

  2. Overview Why do we trust safety assessment? Why do we trust FTA? Can we trust current MBSA techniques on the same basis? What do we need to do to better justify adequacy of the models and assessment? Some “red herrings” in justification of the MBSA adequacy? Why MBSA techniques often focus on synthesis of Fault Trees and FMEA? ISSC 2010: The Illusion of Method - 2

  3. Safety Assessment as Hypothesis The result of any safety assessment is a hypothesis Regardless of the methods used How we think the system will behave under conditions of failure Cannot be fully “validated” or “proven” Can check for consistency with design models Can check for consistency with equipment test data (FMESs) Can check for consistency with experience with similar systems Can review and, sometimes, “test” Yet safety assessment is routinely trusted Why? ISSC 2010: The Illusion of Method - 3

  4. Making it Real: Fault Trees FTA is a structured methodology – not only notation! Ground Rules and Key Principles for Fault Tree construction “Primary-Secondary-Command” “Immediate and Necessary cause” Provide guidance and keywords Facilitate completeness of assessment FTA is a well-defined and well-publicised methodology Professional scrutiny Training and expertise Historical experience Strengths and limitations are known Standard errors and misconceptions are well-publicised Review of Fault Trees ISSC 2010: The Illusion of Method - 4

  5. Why is MBSA different? FTA is a structured methodology – not only notation! FTA is a well-defined and well-publicised methodology Historical experience Review of Fault Trees ISSC 2010: The Illusion of Method - 5

  6. Why is MBSA different? Methodologies are not well-defined Often focus on notation rather than safety engineering concepts Proliferation of idiosyncratic languages Many techniques – little information on how are they related There are currently three “purist” approaches to MBSA Focus on what to model rather than how to assess the system No public guidance Little historical evidence (understandably) What systems are inappropriate for the application of the technique? What are the “error inducing features”? Does it actually work? Can not justify any confidence “by construction” ISSC 2010: The Illusion of Method - 6

  7. MBSA: Model Review Component-wise review is inadequate Adequacy of component models is context dependent Context of component models is not obvious Unlike the context of intermediate events in FTs “Emergent behaviour” Not attributable to individual components Simulation can facilitate a model-wide review Exhaustive simulation is infeasible Need strategies for selecting “simulation cases” ISSC 2010: The Illusion of Method - 7

  8. MBSA: Adequacy Arguments Intuitive and/or Implicit approach to justifying confidence in the MBSA is not sustainable Too little experience to trust the “gut feeling” New challenges Too many risks Confidence must be explicitly justified Model adequacy argument Side-by-side with the system safety argument Incorporated into the overall safety case ISSC 2010: The Illusion of Method - 8

  9. MBSA: Adequacy Arguments ISSC 2010: The Illusion of Method - 9

  10. MBSA: Adequacy Arguments Top Level Argument Top Level Argument ConstructionArg Methodology Argument over Model-Based Safety adequacy of Assessment Methodology construction process {T}, that is [claimed to be] and methodology followed in construction of the Model {M} MethodologyAdequacy ProcessAdequacy The modelling Construction process for methodology is adequate model {M} was adequate MethodologyImplementation MethodologyDefinition MethodologyAppropriate Construction process for Model Methodology is robust and The methodology {T} is {M} has adhered to the appropriate for the type of adequately defined methodology {T} system and the type of safety analysis performed Competency ArchitectureElicitation ConceptsDefinition ArchitectureVerification HistoricalArg Safety engineers responsible for Key concepts of the The methodology for verification The methodology for model constructon have received methodology and their Argument over previous of adequacy and correctness of determining model architecture adequate training in modelling relationship are adequately application of the the model architecture is is adequately defined methodology defined methodology and similarity adequately defined of application context ComponentModelling The methodology for definition of (detailed) component models is adequately defined ISSC 2010: The Illusion of Method - 10

  11. MBSA: Adequacy Arguments ISSC 2010: The Illusion of Method - 11

  12. MBSA: Justification of Assumptions Currently the argument is weak Only weak evidence for some goals Doesn’t recognise the crucial role of modelling assumptions A challenge even for the traditional approaches More critical for MBSA Should cite, manage and justify Assumptions log Part of the adequacy argument in the safety case ISSC 2010: The Illusion of Method - 12

  13. MBSA: Adequacy Arguments Top Level Argument Top Level Argument ConstructionArg Methodology Argument over Model-Based Safety adequacy of Assessment Methodology construction process {T}, that is [claimed to be] and methodology followed in construction of the Model {M} MethodologyAdequacy ProcessAdequacy The modelling Construction process for methodology is adequate model {M} was adequate MethodologyImplementation MethodologyDefinition MethodologyAppropriate Construction process for Model Methodology is robust and The methodology {T} is {M} has adhered to the appropriate for the type of adequately defined methodology {T} system and the type of safety analysis performed Competency ArchitectureElicitation ConceptsDefinition ArchitectureVerification HistoricalArg Safety engineers responsible for Key concepts of the The methodology for verification The methodology for model constructon have received methodology and their Argument over previous of adequacy and correctness of determining model architecture adequate training in modelling relationship are adequately application of the the model architecture is is adequately defined methodology defined methodology and similarity adequately defined of application context ComponentModelling The methodology for definition of (detailed) component models is adequately defined ISSC 2010: The Illusion of Method - 13

  14. MBSA: Adequacy Arguments ISSC 2010: The Illusion of Method - 14

  15. MBSA: Justification of Assumptions Currently the argument is weak Only weak evidence for some goals Doesn’t recognise the crucial role of modelling assumptions A challenge even for the traditional approaches More critical for MBSA Should cite, manage and justify Assumptions log Part of the adequacy argument in the safety case ISSC 2010: The Illusion of Method - 15

  16. MBSA Adequacy Illusions “Our safety analysis is based on the design model of the system; provided the system is implemented as designed the model is, by definition, valid.” “Our safety assessment model is expressed in a language with formally defined semantics which ensures that the model is correct by construction.” “Our MBSA technique is based on formal methods which guarantee validity of analysis results.” “Since our MBSA technique allows to synthesise fault trees and since fault trees are “tried-and-tested” there are no new challenges” ISSC 2010: The Illusion of Method - 16

  17. Conclusions Novel MBSA techniques pose new challenges Use of traditional formats hides these challenges To justify use of MBSA evidence some work is necessary What is being modelled: Clear conceptual methods definition How to model: Guidance Comprehensive and public Strategies for model review and selective simulation Industrial Application (alongside traditional methods) Must justify adequacy of the models explicitly In the system safety case Need to recognise importance of the assumptions Identify, manage and justify in the model adequacy argument ISSC 2010: The Illusion of Method - 17

  18. Questions CAN YOU TRUST YOUR MODEL? ISSC 2010: The Illusion of Method - 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Model for Performance Based Method for Designing a PPS Garima Sharma Safety and Security

A Model for Performance Based Method for Designing a PPS Garima Sharma Safety and Security

A Model for Performance Based Method for Designing a PPS Garima Sharma Safety and Security Studies Division, Nuclear Controls and Planning Wing Department of Atomic Energy, Mumbai, India 400001 Email: garimas@dae.gov.in Black Swan Event

184 views • 15 slides
Seamless Model- and Method-Based Software & Systems Engineering Scientific Foundations

Seamless Model- and Method-Based Software & Systems Engineering Scientific Foundations

Seamless Model- and Method-Based Software & Systems Engineering Scientific Foundations Manfred Broy Technische Universitt Mnchen Institut fr Informatik D-80290 Munich, Germany Challenges in Software & Systems Development

519 views • 30 slides
Model Generation Method 2ai The Model Generation (MG) method is an easy method for humans to

Model Generation Method 2ai The Model Generation (MG) method is an easy method for humans to

Model Generation Method 2ai The Model Generation (MG) method is an easy method for humans to apply, but it has not been so widely implemented as DP. Similar to DP, MG returns True if given clauses are satisfiable . AUTOMATED REASONING MG

79 views • 7 slides
1 Outline Problem Setting Instance-Based vs. Model-Based Model-Based Algorithms

1 Outline Problem Setting Instance-Based vs. Model-Based Model-Based Algorithms

1 Outline Problem Setting Instance-Based vs. Model-Based Model-Based Algorithms Estimation of Distribution Algorithms (EDAs) Cross-Entropy (CE) Method Model Reference Adaptive Search (MRAS) Convergence of MRAS

367 views • 34 slides
A neurogeometrical model for image completion and visual illusion Benedetta Franceschiello

A neurogeometrical model for image completion and visual illusion Benedetta Franceschiello

Introduction Sub-Riemannian mean curvature flow for image processing Mathematical models for GOIs A neurogeometrical model for image completion and visual illusion Benedetta Franceschiello Advisors: A. Sarti, G. Citti CAMS (Unit e Mixte

527 views • 17 slides
Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

NuSMV3: a framework for Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian Mattarei Fondazione Bruno Kessler, Trento (Italy) Roadmap Formal Model Based Safety Assessment Formal Safety

497 views • 37 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
PowerUp Team Palindrome Key Challenges Reactive, rather than proactive, safety management

PowerUp Team Palindrome Key Challenges Reactive, rather than proactive, safety management

PowerUp Team Palindrome Key Challenges Reactive, rather than proactive, safety management Underreporting of near-misses due to fear of punitive response Current behavior-based safety programs focus primarily on frontline workers

452 views • 15 slides
Plenary Meeting of the Global Nuclear Safety and Security Network Promoting science-based safety:

Plenary Meeting of the Global Nuclear Safety and Security Network Promoting science-based safety:

Plenary Meeting of the Global Nuclear Safety and Security Network Promoting science-based safety: Aims, Objectives and Working Method of the TSO Forum Jacques Repussard, TSO Forum Chair IRSN, France IAEA International Atomic Energy Agency

331 views • 19 slides
Genericity of a model- based intrusion testing method Aymerick Savary 1,2 , Mathieu Lassale 1,2

Genericity of a model- based intrusion testing method Aymerick Savary 1,2 , Mathieu Lassale 1,2

Genericity of a model- based intrusion testing method Aymerick Savary 1,2 , Mathieu Lassale 1,2 Jean-Louis Lanet 1 , Marc Frappier 2 SDTA, december 2014, Auvergne, France 1 Universit de Limoges 2 Universit de Sherbrooke Genericity of a

404 views • 24 slides
Thermodynamics of 2+1 flavor QCD with the SF t X method based on the gradient flow SF t X method :

Thermodynamics of 2+1 flavor QCD with the SF t X method based on the gradient flow SF t X method :

2020/5/20 @ R-CCS Thermodynamics of 2+1 flavor QCD with the SF t X method based on the gradient flow SF t X method : small flow-time expansion method WHOT-QCD Collaboration: K. Kanaya, Y. Taniguchi, A. Baba, A. Suzuki (Univ. Tsukuba) S.

926 views • 50 slides
A Model to Image Straight Line Matching Method for Vision-Based Indoor Mobile Robot Self-Location

A Model to Image Straight Line Matching Method for Vision-Based Indoor Mobile Robot Self-Location

IROS'2002, Lausanne, 30 September - 4 October Submitted version, march 2002 A Model to Image Straight Line Matching Method for Vision-Based Indoor Mobile Robot Self-Location O. Ait Aider, P. Hoppenot, E. Colle CEMIF - Complex System Group -

362 views • 6 slides
Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model

Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model

Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model development is a major barrier to effective delivery of value Complexity leads to models that are late, over budget, and of substandard

918 views • 36 slides
Behavior Based Safety CAP Safety Meeting June V.A.0.0 1 1 PPT-CAP-BBS Safety is more

Behavior Based Safety CAP Safety Meeting June V.A.0.0 1 1 PPT-CAP-BBS Safety is more

Behavior Based Safety CAP Safety Meeting June V.A.0.0 1 1 PPT-CAP-BBS Safety is more important than getting the job done. V.A.0.0 2 2 PPT-CAP-BBS Behavior Based Safety Behavior Based Safety (BBS) helps you identify and choose a safe

327 views • 21 slides
New Challenges: Model-based Dose Finding in the Era of Targeted Agents Elizabeth Garrett-Mayer,

New Challenges: Model-based Dose Finding in the Era of Targeted Agents Elizabeth Garrett-Mayer,

Redefining the Objectives A New Era A Novel Design for Adoptive T-Cell Therapy Methods Simulations Results Discussion New Challenges: Model-based Dose Finding in the Era of Targeted Agents Elizabeth Garrett-Mayer, PhD 1 Cody Chiuzan, PhD 2 1

667 views • 48 slides
Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Large-scale electronic structure methods Introduction Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications Outlook Taisuke Ozaki (ISSP, Univ. of Tokyo) The Summer School on DFT: Theories and

689 views • 55 slides
Modeling and Analyzing Faults to Improve Election Process Robustness Borislava I. Simidchieva

Modeling and Analyzing Faults to Improve Election Process Robustness Borislava I. Simidchieva

Modeling and Analyzing Faults to Improve Election Process Robustness Borislava I. Simidchieva (UMass Amherst), Sophie J. Engle (UC Davis), Michael Clifford (UC Davis), EVT/WOTE 2010 Alicia Clay Jones (Booz Allen), Washington, D.C. Sean

443 views • 19 slides
CONTENTS Introduction 1. Faut Tree Analysis method (FTA) 2. The main steps of fault tree 3.

CONTENTS Introduction 1. Faut Tree Analysis method (FTA) 2. The main steps of fault tree 3.

th 13 Annual System of Systems Engineering Conference Q UANTITATIVE AND Q UALITATIVE R ELIABILITY A SSESSMENT OF R EPARABLE E LECTRICAL P OWER S UPPLY S YSTEMS USING F AULT T REE A NALYSIS M ETHOD AND I MPORTANCE F ACTORS Authors: Dallal.

972 views • 28 slides
Dynamic Positioning System (DPS) Risk Analysis Using Probabilistic Risk Assessment (PRA) Eric

Dynamic Positioning System (DPS) Risk Analysis Using Probabilistic Risk Assessment (PRA) Eric

DYNAMIC POSITIONING CONFERENCE OCTOBER 911, 2017 TESTING/RISK Dynamic Positioning System (DPS) Risk Analysis Using Probabilistic Risk Assessment (PRA) Eric Thigpen, SAIC ; Michael A. Steward, Roger L. Boyer NASA; Pete Fougere, Consultant

796 views • 33 slides
Quantum Computing & Experience with D-Wave system Dr. Thierry Botter 12 April 2018 We are a

Quantum Computing & Experience with D-Wave system Dr. Thierry Botter 12 April 2018 We are a

Airbus perspective on Quantum Computing & Experience with D-Wave system Dr. Thierry Botter 12 April 2018 We are a worldwide leader in aeronautics, space and related services : We make it fly! Airbus by numbers (end of 2017) Airbus

404 views • 13 slides
Risk assessment methodologies of hydrogen applications in a socio-technological context Frank

Risk assessment methodologies of hydrogen applications in a socio-technological context Frank

Risk assessment methodologies of hydrogen applications in a socio-technological context Frank Markert Systems Analysis Department Ris National Laboratory Technical University of Denmark 2nd European Summer School on Hydrogen Safety Belfast,

1.56k views • 36 slides
Development of Level-2 PSA Software AIMS-L2 Sang Hoon HAN and Jaehyun Cho Korea Atomic Energy

Development of Level-2 PSA Software AIMS-L2 Sang Hoon HAN and Jaehyun Cho Korea Atomic Energy

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Development of Level-2 PSA Software AIMS-L2 Sang Hoon HAN and Jaehyun Cho Korea Atomic Energy Research Institute, 111, Daedeok-daero 989Beon-gil, Yuseong-gu,

553 views • 6 slides
The Confirmation for the Assumption of Full Seismic Correlation in multi-unit Seismic

The Confirmation for the Assumption of Full Seismic Correlation in multi-unit Seismic

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 The Confirmation for the Assumption of Full Seismic Correlation in multi-unit Seismic Probabilistic Safety Assessment Geon Gyu Choi . a , Woo Sik Jung . a .

221 views • 4 slides
ICONE-22 July 7, 2014 Prague, Czech Republic Slide 1 SPEAKERS Dr. Sanj Malushte

ICONE-22 July 7, 2014 Prague, Czech Republic Slide 1 SPEAKERS Dr. Sanj Malushte

Forthcoming Seismic PRA for US Operating Plants Following Fukushima Event ICONE-22 July 7, 2014 Prague, Czech Republic Slide 1 SPEAKERS Dr. Sanj Malushte smalusht@bechtel.com Dr. Annie Kammerer amkammer@bechtel.com Dr.

811 views • 80 slides

More recommend