Lessons Learned from a Functional Hazard Analysis (FHA) Michael Levesque August 14, 2018

BLUF & Outline BLUF High level overview Share some lessons learned from our experience Create a healthy group dynamic that encourages sharing of experiences, both positive and negative Outline Intro, Perspective & Background How an FHA Adds Value Importance of a Well Designed Worksheet Challenges We Faced A Few Lessons Learned, Programmatic Advice Simple Error-Proofing Opportunities

Hazards are Ubiquitous Issues are Not Always Visible Almost Anyone can identify the RIDICUOUSLY OBVIOUS Safety issues (yet they still exist…) An FHA is a tool that enables a professional to identify the non-obvious hazards Factoid: About 700 people died in the 1938 hurricane because nobody knew it was coming, they couldn’t predict what was coming from over the horizon… Issues are Not Always Visible

Perspective Total Ownership Cost includes Development cost, Procurement cost, and the Over-The-Horizon Costs Affordability encourages us to understand the impact of today’s decisions on tomorrow’s obligations, and to use that knowledge to influence the system design Factoid: About 700 people died in the 1938 hurricane because nobody knew it was coming, they couldn’t predict what was coming from over the horizon…

Affordability & Safety Best Started Early * Apr 99 Affordability & Safety Best Started Early 10 20 30 40 50 60 70 15 5 Production Concept Full Dev O & S Time Impact On Total Ownership (Percent) 10 20 30 40 50 Concept 3 12 35 Full Dev Production O & S Time Total Ownership Cost Spent (Percent) Affordability's greatest impact is Earliest in the Program Life Cycle * Safety is one of the Key Early Influencers * *

FHA Background Charter: When: What: Introduced in 2012 via MIL-STD-882E Expected for most new DoD systems When: After the system concept is developed Before design is established What: Implementation-Agnostic Functional Decomposition Risk Assessment Complex analysis spreadsheet w/ multiple interconnected worksheets

Where it Fits Start Here

How an FHA Adds Value Uncovers potential Safety issues that other analysis techniques sometimes miss When done early in design stage it can better influence the design, making the system safer When done early, as it should be, it is MUCH more cost effective Can influence design while it is still inexpensive to do so

Value of a Well Designed Worksheet The analysis will flow as the Worksheet is populated The analysis should illuminate System functions Hazards Software Criticality Index (SwCI) This will identify Safety Critical Items Required Level of Rigor for Software Modules The FHA Worksheet will provide valuable input to the FHA Report

Challenges We Experienced Defining the scope – What is In / Out Functional point of view Program Life-Cycle point of view Functional decomposition Thinking functionally, at a System Level Not a requirements driven approach Completely implementation-agnostic Severity Determination MIL-STD-882E for determining SwCI NAVSEA 5100.12-M for RAC in Hazard Definition Worksheet layout was not intuitive Commenting on my own work, candidly

Functional Decomposition

Overlooked Failure Modes

Division Newport CPI Office Example Worksheet Division Newport CPI Office

Lessons Learned Defining the scope / boundaries of the analysis System Functions Life-cycle phases Running list of Assumptions Do not overlook the importance of a truly implementation-agnostic functional decomposition, it is the foundation, the “F” in FHA. Take your time to get it right (How does it do that…?) Create a template that is comprehensive, intuitive, flexible, and tailorable Document your process, and your progress

Lessons Learned, cont. Ambiguity is the enemy of efficiency, so Make the Time to add Candid Comments (to yourself) Performing an FHA Early in the project allows you to identify the Software Criticality Index (SwCI), which correlates to the required Level of Rigor for software. This will result in a more efficient architecture of software modules. If you need approval of a review board, share the Worksheet and the comments Often overlooked failure modes (other than, “Fails to Operate” and “Malfunction”) may identify hazards / risks not previously identified Timing…

Lessons Learned, cont. FHA review process Functional Decomposition is the foundation of the analysis, get feedback from Systems Engineering Do NOT ask if it is OK… Do ask what is missing Functional Decomposition describes the Capability of the system, Not the Implementation of it Effects (Local and System) should be reviewed with other Safety Engineers Have I mentioned Comments…? Potential comments could be: Is this possible? Could be any number of things, including but not limited to: malfunction in X1, faulty X2, faulty X3, bad X4, faulty X5, etc.

Simple Error-Proofing Opportunities No magic, simply reducing the opportunities to make human errors Conditional formatting – colors & font styles to draw attention to summary rows / cells, and to differentiate between different rows Take advantage of simple formulas for automation =MIN(X17:X22) =IF(MIN(AB17:AB22)=0,"",MIN(AB17:AB22)) {=IF(CHAR(SMALL(CODE(AC31:AC36),1))="N","",CHAR(SM ALL(CODE(AC31:AC36),1)))} =CONCATENATE(AB30,AC30) Protect the cells with formulas

Safety, and the FHA - “Proxies for Affordability” Programmatic Advice The Earlier you perform this analysis, the more Effective and Affordable it is Some Program Managers do not get Safety involved in a program at the point when a FHA should be done. Rule of 10 - What needs to be changed, what does it cost? Safety, and the FHA - “Proxies for Affordability”

Pay Me Now, or Pay Me Later We did the math… Later is ALWAYS More

Questions?