'Dipartimento di Ingegneria Elettrica, Universita di Genova Via all 'Opera Pia, lla Genova, Italy

Similar documents
Safety-Critical Systems

Understanding safety life cycles

A study on the relation between safety analysis process and system engineering process of train control system

The Safety Case. Structure of Safety Cases Safety Argument Notation

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Safety-critical systems: Basic definitions

Using what we have. Sherman Eagles SoftwareCPR.

Risk Management Qualitatively on Railway Signal System

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

The Safety Case. The safety case

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Safety Critical Systems

Every things under control High-Integrity Pressure Protection System (HIPPS)

The Best Use of Lockout/Tagout and Control Reliable Circuits

Solenoid Valves For Gas Service FP02G & FP05G

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

DeZURIK. KSV Knife Gate Valve. Safety Manual

SYSTEM SAFETY REQUIREMENTS

Hydraulic (Subsea) Shuttle Valves

Solenoid Valves used in Safety Instrumented Systems

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

Marine Risk Assessment

Bespoke Hydraulic Manifold Assembly

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

SPR - Pneumatic Spool Valve

New Thinking in Control Reliability

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Aeronautical studies and Safety Assessment

PL estimation acc. to EN ISO

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Safety Manual VEGAVIB series 60

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Probability Risk Assessment Methodology Usage on Space Robotics for Free Flyer Capture

Review and Assessment of Engineering Factors

Safety Manual VEGAVIB series 60

A quantitative software testing method for hardware and software integrated systems in safety critical applications

Safety of railway control systems: A new Preliminary Risk Analysis approach

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Transducer mod. T-NC/8-API. SIL Safety Report

innova-ve entrepreneurial global 1

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

Failure Modes, Effects and Diagnostic Analysis

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Transmitter mod. TR-A/V. SIL Safety Report

Critical Systems Validation

MDEP Common Position No AP

Safety-critical systems: Basic definitions

Software Reliability 1

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

High Integrity Pressure Protection Systems HIPPS

The Key Variables Needed for PFDavg Calculation

Accelerometer mod. TA18-S. SIL Safety Report

Safety manual for Fisher GX Control Valve and Actuator

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

Implementing IEC Standards for Safety Instrumented Systems

Managing for Liability Avoidance. (c) Lewis Bass

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

Safety Risk Assessment Worksheet Title of Risk Assessment Risk Assessment Performed By: Date: Department:

The Risk of LOPA and SIL Classification in the process industry

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Section 1: Multiple Choice Explained EXAMPLE

Valve Communication Solutions. Safety instrumented systems

Failure Modes, Effects and Diagnostic Analysis

On proof-test intervals for safety functions implemented in software

Achieving Compliance in Hardware Fault Tolerance

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Integration of safety studies into a detailed design phase for a navy ship

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Ultima. X Series Gas Monitor

ADVISORY MATERIAL JOINT AMJ

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Safety Manual OPTISWITCH series relay (DPDT)

1.0 PURPOSE 2.0 REFERENCES

Questions & Answers About the Operate within Operate within IROLs Standard

Impact on People. A minor injury with no permanent health damage

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

D-Case Modeling Guide for Target System

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

Section 1: Multiple Choice

Reliability Analysis Including External Failures for Low Demand Marine Systems

PI MODERN RELIABILITY TECHNIQUES OBJECTIVES. 5.1 Describe each of the following reliability assessment techniques by:

PRACTICAL EXAMPLES ON CSM-RA

Failure Modes, Effects and Diagnostic Analysis

Policy for Evaluation of Certification Maintenance Requirements

Transcription:

Safety specification and acceptance in ship control systems: a novel approach based on dynamic system modelling Gian Francesco D'Addio*, Pierluigi Firpo\ Stefano Savio* & Giuseppe Sciutto^ "Centra di Ricerca Trasporti, Universita di Genova Via all 'Opera Pia, lla - 16145 Genova, Italy 'Dipartimento di Ingegneria Elettrica, Universita di Genova Via all 'Opera Pia, lla - 16145 Genova, Italy Email: cesco@crt.unige.it Abstract The increasing use of digital systems in vital applications for Ship Control Systems requires the study and the adoption of advanced system safety modelling methodologies for Safety Probabilistic Assessment, due to the often complex structure of such equipment from a safety point of view. In the design of Safety-related Systems it is necessary to ensure that an adequate level of safety is properly specified, is achieved during the design phase, and is maintained during system operation: the required level of safety and its demonstration are achieved by applying a well defined Safety Process, which starts with the definition of safety specifications, goes on with the safety verification and validation (assessment), during each phase of the system development till the system installation, and continues with operation and performance monitoring and finally with the decommissioning phase procedures. Safety Specification and Safety Acceptance, based on the System Safety Case, are two major critical points in a Safety Process for Ship Control Systems and the Probabilistic Safety Assessment constitutes the foundations on which both the above activities lean. Appropriate hazard analysis techniques, based on probabilistic modelling methodologies, must be adopted in order to accomplish the Safety Process tasks

374 Marine Technology II dealing with the quantitative evaluation of all the safety related aspects of a safety critical system design. Stochastic Petri Nets are a very powerful safety modelling technique, based on the Markov Chain theory, suitable for complex system which cannot be easily modelled by means of traditional combinatorial methods like fault trees. In this paper, the authors discuss the application of Stochastic Petri Nets in the appropriate Safety Process tasks and show how to set up a probabilistic safety assessment on a sample system. 1 Introduction The System Safety Program is the mean by which the safety requirements for a system are determined, the design and application are demonstrated to achieve the specified safety requirements, the performance of the system is monitored while it is operating and finally the decommissioning of the system is carried out safely. The implementation of the System Safety Program, as far as the specification and design phases are concerned, comprises hazard and safety analysis activities, based on stochastic principles, which have to provide quantitative evaluations of the probability of dangerous failures occurrence, by solving appropriate system models like Stochastic Petri Nets. The compliance with safety requirements may be verified by integrating the above quantitative results with hazard severity analysis and risk assessment procedures. 2 Hazard Analysis and Risk Assessment Hazard Analysis is the activity of identifying and classifying actual and potential hazards and hazardous events. 2.1 Hazard Sequence and Risk Assessment The objective of the Risk Assessment is to assess the probability of a hazard or a sequence of hazards which may lead to a potential accident; combining the hazard probability or frequency with the hazard recognized severity, the risk, which may be classified in terms of its acceptability, is obtained. By means of the hazard sequence is possible to perform a Risk Assessment on the basis of the identified hazards or hazardous events. In fact, aim of the hazard sequence is to relate hazards with potential accidents as shown in Figure 1. Combination of Hazards Potential Accident T. Accident Casualties Figure 1 - Hazard Sequence

Marine Technology II 375 The primary classification which is made on hazards, on the basis of the Hazard Sequence, deals with hazard severity. In Table 1 the hazard severity categories, as defined in international safety standards [5], are explained: they provide a qualitative measure of the consequences of accidents which could result from a hazard or a sequence of hazards. Table 2 shows a possible classification of the Hazard Probability Levels in terms of the occurrence probability per hour of operation. 4 3 2 1 Table 1 - Hazard Severity Categories DESCRIPTION DEFEVITION CONSEQUENCE TO PERSONNEL CONSEQUENCE TO CATASTROPHIC Fatalities and/or multiple severe injuries Loss of the system CRITICAL Single fatality or severe injury Loss of a major system MARGINAL Minor injury NEGLIGIBLE Possible single minor injury System damage F E D C B A DESCRIPTION NOT CREDIBLE IMPROBABLE REMOTE OCCASIONAL PROBABLE FREQUENT Table 2 - Hazard Probability Levels DEFINITION Extremely unlike to occur. It can be assumed that the hazard may not occur Unlikely to occur but possible. It can be assumed the hazard may exceptionally occur Likely to occur at sometime in system life cycle. It can be reasonably expected to occur Likely to occur several times. The hazard can be expected to occur several times It will occur several times. The hazard can be expected to occur frequently Likely to occur frequently. The hazard will be continually experienced OcciJRRENCE iility[l/h] < lo-* 10-9 + 10-7 10-7 + 10-5 10-5 4-10-4 10-4 4-10-3 > 10-3 The quantitative units above defined have to be tailored to the particular potential accident considered. Note that the probability of a potential accident to become an actual accident is assumed conservatively equal to 1. The consequence of a hazard and its probability are utilized to generate the Risk Classification Matrix shown in Table 3.

376 Marine TechnologyII.. FREQUENCY Frequent A Probable B Occasional C Remote D Improbable E Not Credible F Table 3 - Risk Classification Matrix HAZARD CATEGORY Catastrop>hic 4 Critical 3 Marginal 2 4A 3A 2A 4B 3B 2B 4C 3C ZC 4D 3D 2D 4B m as 4F 3BF '' * ' %F LEGENDA Intolerable - Shall be eliminated Undesirabh? - Shall only be accepted if risk reduction is mpracticable i Tolerable - Acceptable with adequate control Acceptable - Shall be accepted with agreement of the Safety Authority Negligible 1 1A IB 3C U> / m -. - IF The Risk Classification is used to define the maximum tolerable level of risk and consequently to recognize if actions are required to eliminate or reduce the risk associated with a hazard to a tolerable level. An example of possible Risk Classification Criteria is emphasized in Table 3 and the relevant actions to be performed for each level of risk are defined. 2.2 Safety Integrity Safety Integrity is defined as the likelihood of a system complying with the specified safety requirements under all stated conditions within a stated period of time. Safety Integrity is, substantially, a measure of the tolerable level of risk and may be quantified as a failure rate in a dangerous mode or the probability of a safetyrelated protection failing on demand. However, safety integrity also depends on many other factors, which can only be evaluated qualitatively and are not considered in the present discussion, like those related to the human factor. The apportionment of the whole system Safety Integrity targets to all the subsystems of a Ship Control System will result in the definition of the safety requirements of each Ship Control System element in terms of failure frequency or probability. 3 Safety Specification Once the level of safety for an application is defined and the tolerability criteria for risk are properly identified, the necessary risk reduction, for safety-related protection or control systems, can be determined. According to the required risk reduction, safety integrity requirements are derived. For each safety-related function, safety integrity is specified by using discrete levels, usually four, defined as Safety Integrity Levels (SELs) which define a combination of architectures, tools, methods and techniques able to provide, if

Marine Technology II 377 effectively implemented, a measure of confidence that the system will achieve the required safety integrity. This is done because it is not sufficient to specify and ensure quantitative requirements related only to random faults, but measures need to be adopted for preventing systematic faults for which quantitative requirements cannot be carried out. For this reason, a probability of failure, or a hazardous failure rate, is associated to each SIL which is assigned to safety-related functions in reason of the specified quantitative risk reduction: the assigned SIL will then define a set of qualitative and technical measures for preventing systematic faults to occur according to the required safety integrity level. In [5], a generic correlation between SILs and failure probabilities is proposed, but a specific association table can be defined for each specific application in reason of the specified overall safety level to be assessed and approved by Regulatory bodies. Table 4 shows an example of a possible SILs definition according to [6]. SIL 4 3 2 1 0 Table 4 - SILs definition Description Fail safe Safety critical - High Safety critical - Low Safety involved Not safetv-related Hazardous Failure Rate [1/h] < 10" 10-" -s- lo-* 1C'" -r 10^ > 10'* 4 Safety Verification and Validation Once the Safety Integrity targets have been defined (as specified in 2 and 3) through hazard analysis and controlled through design, the following step is to determine if any uncontrolled trouble has arisen from the design and implementation phase. The Safety Verification and Validation activities are performed during the life cycle phases related to design and implementation, installation and validation and they have to produce the adequate results for the acceptance activity purposes. It is important to note that most verification and validation techniques focus on showing consistency between the system functionalities and the specification, but, as far as safety is concerned, this philosophy is wrong. In fact the need is to examine the relationship both between the system inputs and outputs and between the inputs and the effects of the outputs on system behaviour. In particular, when software is used in performing safety-related functions, the experience shows that errors in the design of the system interfaces are the most important. The Safety Verification and Validation (V&V) aims to demonstrate that the system satisfies and is consistent with the safety constraints and the safetyrelated functional requirements. For this purpose two types of analysis, dynamic and static, can be performed.

378 Marine Technology II The first type is performed in order to execute (test) the system or the model of the system, collecting information about its performances and the possible safety weakness areas, while the second one is carried out in order to examine the system without executing it. As far as safety qualification is concerned, the testing goal [9] is to show that the system will not do anything hazardous starting from a predefined operating condition by executing, both in a simulated or in a real environment, the system functions. In particular, these qualification activities have to find out the unsafe responses due to the frequency and the level of the system stress greater than the rated ones, taking into account the following system aspects: (1) critical functions and variables, (2) boundary conditions, (3) special features such as firewalls or safety kernels upon which the protection of the safety-critical features is based, (4) incorrect and unexpected inputs and inputs sequences and timing (minimum, maximum and outside the expected range), (5) reaction of the software to system faults and failures, (6) fail safe modes, (7) procedures that guide critical control and safety decisions. Using dynamic analyses the safety engineer can reach an adequate knowledge of the system behaviour and of the system safety weakness. Moreover, when they apply in the earlier phases of the development, the corrective actions can be performed without excessive additional costs. In this context Stochastic Petri Nets, described in 6, are a powerful formalism able to give the analysist the adequate answers concerning the system safety-related performances. Anyway it has been demonstated that an exhaustive testing is not pratically possible and, when simulation is used, the results are strictly related to the adequacy of the simulated model. To overtake these limitations static analyses (e.g. formal methods, FT A, and others) can be used in order to create an integrated framework where each method is used for augmenting the V&V capability of the other methods. 5 Safety Case The Safety Case is the systematic documentation of the reasons why a system is believed to be safe to be deployed and it typically reflects the design and assessment of the product and the process that led to its development. It is the necessary supporting documentation leading to acceptance, which is the formal approval by the Regulatory bodies that the system isfitto be utilised. The Safety Case, to be developed in parallell with the design, should make an esplicit set of claims about the system, provide a systematic structure for marshalling the evidence, provide a set of safety arguments for linking the claims to the evidence and make clear the assumptions and judgement underlying the arguments. The nature of the safety arguments could be [10], [11]: Deterministic, where the evidence can be axioms, the inference mechanism is the rules of predicate logic, and the safety argument is a proof using those rules.

Marine Technology II 379 Probabilistic, where the evidence could be component failure rates and assumptions of independence, and the inference mechanism is statistical analysis. Qualitative, where the evidence might be adherence to standards, design rules or guidance, the inference mechanism is some form of acceptance criteria based on this. The Safety Case is typically structured as follows [6]: - System (or sub-system/equipment) definition - Quality Management Report with the evidence of Quality Management - Safety Management Report with the evidence of Safety Management - Technical Safety Report with the evidence of functional and technical safety - Results of Safety QualificationTests 5.1 Evidence of Quality Management The purpose of the quality management process is to reduce the incidence of human errors and to reduce the risk of systematic faults in the system. Therefore, the first condition for safety acceptance which should be satisfied is that the quality of the system is controlled by a well-managed process throughout its life cycle. There are several aspects which are involved in the Quality Management process, and they are the typical ones covered by the IS09000 standards requirements. 5.2 Evidence of Safety Management The purpose of the Safety Management process is to further reduce the incidence of safety-related human errors throughout the life cycle and to minimise the residual risk of safety-related systematic faults. The evidence of the well-managed safety process represents the second mandatory condition to be satisfied in order to reach the system approval. The elements to be forrmalised are the following: (1) the safety life cycle with description of phases and activities, (2) the safety organisation with the roles and responsibilities, (3) the safety plan, (4) the hazard log, (5) the safety requirements specification, (6) the safety-related reviewing process, (7) the safety verification and validation, (8) the safety justification, (9) the operation and maintenance procedures, (10) the decommissioning and disposal procedures. 5.3 Evidence of Functional and Technical Safety in Design This process consists of technical evidence for the safety of the design. The resulting report descibes the technical principles which assure the safety of the design, including design principles and calculations, test specifications requirements and safety analyses. The results of the safety qualification tests should be contained in the relevant Safety Case part and they should be able to demonstrate the successful test completion under operational conditions.

380 Marine Technology II 6 Stochastic Petri Nets Modelling Thanks to their high capabilities in modelling the dynamic behaviour of systems in the presence of random events, Stochastic Petri Nets (SPNs) may be utilized to quantify the safety integrity of Ship Control systems and subsystems as the occurrence probability, or frequency, of dangerous failure modes due to random hardware faults. SPNs are particularly useful for the safety analysis of digital systems where either software diagnostics or hardware redundancies are utilized to identify and locate faults in order to control and contain their effects on safety. A fault may be controlled if and only if it is timely detected and located: for this reason, a fault which goes undetected has to be considered as potentially dangerous in that its impact on safety cannot be predicted. The probability of detecting and locating faults which occur in a system, by means of diagnostics facilities, is defined as the fault coverage of the system. i Hot Spare On Line Unit Input _ * Switch Output Figure 2 - Hot Standby Sparing Architecture A very simple case study is presented in order to explain how SPNs may be applied in the safety analysis of digital systems for Ship Control vital applications: the system considered is a hot standby sparing architecture, as shown in Figure 2. I ^^PARE UNIT I (\ ON LINE UNIT/ 7~^, /^, SI ȘPARE UNIT X X FAULT / V_X. y~^ F AULT SAFE SHUT DOWN Figure 3 - Double Redundant System safety model In this doubly redundant architecture, for each on line module is present a spare unit who operates in synchrony with thefirstone.

Marine Technology II 381 When a fault, occurring in the on-line unit, is detected, the operating module is replaced by the spare. Being the spare always operating in background, a fault is likely to occur also in this module. An unsafe failure will occur if: a failure of the on-line unit is caused by an undetected fault; a failure of the on-line module follows an undetected fault of the spare. In Figure 3 is shown the SPN safety model of the system under analysis; the diagnostics fault coverage is assumed equal to C for both the on-line and the spare units while the hardware aggregate failure rate of each module is assumed equal to /L 7 Results The results presented in Figure 4, represent an example of the safety integrity measures which can be performed by means of SPN modelling. Safety may be evaluated by calculating the probability of having, at the time f, a non-zero marking in the place "UNSAFEFAILURE". Safety 530 '000 1500 20DO 2500 3000 Time[h] Figure 4 - Safety Analysis results The safety analysis is performed over a 3000h mission time for values of the fault coverage C varying from 0.1 to 0.9. These results have been carried out by using Spnp Version 4.0, a SPN solution tool based on a C-similar SPN description language, produced by Duke University, Durham, USA 8 Conclusions The application of Stochastic Petri Nets in the Safety Program for Ship Control Systems has been discussed in this paper. In particular, it has been shown how SPNs are useful to perform Risk Assessment of electronic vital subsystems where random hardware faults are the major causes of dangerous failures because of the limited diagnostics fault coverage.

382 Marine Technology II References 1. B.W. Johnson, J.H. Aylor, "Reliability and safety analysis of a faulttolerant controller", IEEE Transactions on Reliability, Vol. R-35, No. 4, 1986, pp. 355-362. 2. B.W. Johnson, Design and Analysis of Fault-Tolerant Digital system, Addison-Wesley Publishing Company 1989. 3. M.K. Molloy "Performance analysis using Stochastic Petri Nets", IEEE Transactions on Computers,Vol. C-31, No. 9, 1982, pp. 913-917. 4. L Tomek, V. Mainkar, R.M. Geist, K.S. Trivedi, "Reliability modeling of life-critical, real-time systems", Proceedings of the IEEE, Vol. 1, 1994, pp. 108-121. 5. IEC 1508, Fzmcf/oW &z/g(y." &z/e(y-/maw 5yjfem.?, IEC SC65A, Draft Version, June 1995. 6. pren50129, Railway Applications: Safety Related Electronic Systems, CENELEC SC9XA WG2, Version 0.8, December 1994. 7. MEL-STD-882C, System Safety Program Requirements, Department of Defense, USA, 1993. 8. P. Firpo, S. Savio, G. Sciutto: Safety and reliability in computer-based traffic management: a probabilistic approach using Petri Nets, 4th International Conference COMPRAIL'94, Madrid, 7-9 September 1994, pp. 255-264. 9. N.G. Leveson, Safeware: System Safety and Computers, Addison- Wesley Publishing Company 1995. 10. P.G. Bishop, RE Bloomfield: The SHIP Safety Case Approach: a Combination of System and Software Methods, Presented at the First Annual ENCRESS Conference Safety and Reliability of Software Based Systems, Bruges, 12-15 September 1995. 11. H.W. Lawson: An Assessment Mathodology for Safety Critical Systems, Presented at the First Annual ENCRESS Conference Safety and Reliability of Software Based Systems, Bruges, 12-15 September 1995. 12. S. Kristiansen: Analysis of Ro-ro Vessel Accidents and its Implications for Design of Control Systems and the Human-Machine Interface, Presented at the International Seminar Human Factors Impact on Ship Design, Genoa, 14 November 1996.

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback