The AQUAS ECSEL Project Aggregated Quality Assurance for Systems: Co-Engineering Inside and Across the Product Life Cycle

There is an ever-increasing complexity of the systems we engineer in modern society, which includes facing the convergence of the embedded world and the open world. This complexity creates increasing difficulty with providing assurance for factors including safety, security and performance. In such a context, the AQUAS project investigates the challenges arising from e.g., the inter-dependence of safety, security and performance of systems and aims at efficient solutions for the entire product life-cycle. The project builds on knowledge of partners gained in current or former EU projects and will demonstrate the newly developed methods and techniques for co-engineering across use cases spanning Aerospace, Medicine, Transport and Industrial Control.A special thanks to all the AQUAS consortium people that have worked on the AQUAS proposal on which this paper is based, especially to Charles Robinson (TRT), the proposal coordinator. The AQUAS project is funded from the ECSEL Joint Undertaking under grant agreement n 737475, and from National funding

Critical Infrastructure Protection Approaches: Analytical Outlook on Capacity Responsiveness to Dynamic Trends

Overview: Critical infrastructures (CIs) – any asset with a functionality that is critical to normal societal functions, safety, security, economic or social wellbeing of people, and disruption or destruction of which would have a very significant negative societal impact. CIs are clearly central to the normal functioning of a nation’s economy and require to be protected from both intentional and unintentional sabotages. It is important to correctly discern and aptly manage security risks within CI domains. The protection (security) of CIs and their networks can provide clear benefits to owner organizations and nations including: enabling the attainment of a properly functioning social environment and economic market, improving service security, enabling integration to external markets, and enabling service recipients (consumers, clients, and users) to benefit from new and emerging technological developments. To effectively secure CI system, firstly, it is crucial to understand three things - what can happen, how likely it is to happen, and the consequences of such happenings. One way to achieve this is through modelling and simulations of CI attributes, functionalities, operations, and behaviours to support security analysis perspectives, and especially considering the dynamics in trends and technological adoptions. Despite the availability of several security-related CI modelling approaches (tools and techniques), trends such as inter-networking, internet and IoT integrations raise new issues. Part of the issues relate to how to effectively (more precisely and realistically) model the complex behavior of interconnected CIs and their protection as system of systems (SoS). This report attempts to address the broad goal around this issue by reviewing a sample of critical infrastructure protection approaches; comprising tools, techniques, and frameworks (methodologies). The analysis covers contexts relating to the types of critical infrastructures, applicable modelling techniques, risk management scope covered, considerations for resilience, interdependency, and policy and regulations factors. Key Findings: This research presents the following key findings: 1. There is not a single specific Critical Infrastructure Protection (CIP) approach – tool, technique, methodology or framework – that exists or emerges as a ‘fit-for-all’; to allow the modelling and simulation of cyber security risks, resilience, dependency, and impact attributes in all critical infrastructure set-ups. 2. Typically, two or more modelling techniques can be (need to be) merged to cover a broader scope and context of modelling and simulation applications (areas) to achieve desirable highlevel protection and security for critical infrastructures. 3. Empirical-based, network-based, agent-based, and system dynamics-based modelling techniques are more widely used, and all offer gains for their use. 4. The deciding factors for choosing modelling techniques often rest on; complexity of use, popularity of approach, types and objectives of user Organisation and sector. 5. The scope of modelling functions and operations also help to strike the balance between ‘specificity’ and ‘generality’ of modelling technique and approach for the gains of in-depth analysis and wider coverage respectively. 6. Interdependency and resilience modelling and simulations in critical infrastructure operations, as well as associated security and safety risks; are crucial characteristics that need to be considered and explored in revising existing or developing new CIP modelling approaches. Recommendations: Key recommendations from this research include: 1. Other critical infrastructure sectors such as emergency services, food & agriculture, and dams; need to draw lessons from the energy and transportation sectors for the successive benefits of: i. Amplifying the drive and efforts towards evaluating and understanding security risks to their infrastructure and operations. ii. Support better understanding of any associated dependencies and cascading impacts. iii. Learning how to establish effective security and resilience. iv. Support the decision-making process linked with measuring the effectiveness of preparedness activities and investments. v. Improve the behavioural security-related responses of CI to disturbances or disruptions. 2. Security-related critical infrastructure modelling approaches should be developed or revised to include wider scopes of security risk management – from identification to effectiveness evaluations, to support: i. Appropriate alignment and responsiveness to the dynamic trends introduced by new technologies such as IoT and IIoT. ii. Dynamic security risk management – especially the assessment section needs to be more dynamic than static, to address the recurrent and impactful risks that emerge in critical infrastructures

Deployment maintenance strategy for the development of maintenance personnel in Irish and Malaysian automated manufacturing industries

In order to ensure that a manufacturing company is able to achieve the optimum productivity and equipment reliability, an effective maintenance system must be implemented. However it is very important to realize that the maintenance employee involvement is a critical factor in the maintenance implementation stage. An effective maintenance requires an understanding of the link between the maintenance and maintenance employee involvement. As such, there is a need for empirical research on the deployment strategy for the development of maintenance personnel incorporated within the company’s maintenance strategy. This study is a research programme based on the Irish and Malaysian automated manufacturing industries. The primary objective of this research is to formulate the maintenance strategy which leads to the deployment strategy for the development of maintenance personnel in Malaysian automated manufacturing companies. In order to achieve this primary objective, it is necessary to understand the current maintenance practice in manufacturing industries and to establish the extent to which Irish and also Malaysian companies invest in developing its maintenance teams through employee development. It involved carrying out a postal-survey questionnaire which examined and analyzed the maintenance implementation and the nature of problems and difficulties faced by the maintenance personnel in performing their tasks and activities. A comparative study has also been carried out between both countries, as well as the correlation between variables measured which relate to the performance of the company. The key findings are as follow: the commitment of top management plays very important role in the implementation of maintenance strategy; most of the problems encountered in maintaining the automated system are closely related to the human aspects, i.e. maintenance personnel; higher the utilization of proactive and aggressive maintenance, better the improvement of equipment availability that could be expected; by conducting an appropriate and good training implementation, a better improvement of equipment availability could be achieved; in Malaysia, there is higher improvement of equipment availability in the company which uses in-house maintenance. Based on the theoretical understanding of current research in the literature and the results of empirical data found in this study, the author proposes a deployment strategy for the development of maintenance personnel to be incorporated within the company’s maintenance strategy in Malaysia, from the maintenance employee perspective and participation for self reliance and improved reliability and performance

Safety and Security Certification of Electric Bus Fleets - Industry Best Practices

Recently, bus transit agencies nationwide have slowly shifted from reducing their carbon footprints through alternative fuel vehicles to eliminating their carbon emissions by adopting battery electric fleets. This push is supported by FTA's commitment to reducing carbon emissions from transit vehicles, infrastructure, and construction through their Low or No Emissions Grant Program funding. In harmony with the battery electric bus (BEB) market's expansion, bus transit systems are also presented with the emergence of new technologies not commonly found in U.S. transit systems, specifically with BEBs. The progression of such technology has exemplified the need to expand current safety and security certification (SSC) capabilities to ensure that agencies can maintain their overall safety performance. Therefore, the primary objective of this research initiative is to develop minimum SSC program practices and protocols for transit agencies to verify that BEBs and their associated facilities, systems, and equipment are safe for revenue operations

Optimal sensor placement for sewer capacity risk management

2019 Spring.Includes bibliographical references.Complex linear assets, such as those found in transportation and utilities, are vital to economies, and in some cases, to public health. Wastewater collection systems in the United States are vital to both. Yet effective approaches to remediating failures in these systems remains an unresolved shortfall for system operators. This shortfall is evident in the estimated 850 billion gallons of untreated sewage that escapes combined sewer pipes each year (US EPA 2004a) and the estimated 40,000 sanitary sewer overflows and 400,000 backups of untreated sewage into basements (US EPA 2001). Failures in wastewater collection systems can be prevented if they can be detected in time to apply intervention strategies such as pipe maintenance, repair, or rehabilitation. This is the essence of a risk management process. The International Council on Systems Engineering recommends that risks be prioritized as a function of severity and occurrence and that criteria be established for acceptable and unacceptable risks (INCOSE 2007). A significant impediment to applying generally accepted risk models to wastewater collection systems is the difficulty of quantifying risk likelihoods. These difficulties stem from the size and complexity of the systems, the lack of data and statistics characterizing the distribution of risk, the high cost of evaluating even a small number of components, and the lack of methods to quantify risk. This research investigates new methods to assess risk likelihood of failure through a novel approach to placement of sensors in wastewater collection systems. The hypothesis is that iterative movement of water level sensors, directed by a specialized metaheuristic search technique, can improve the efficiency of discovering locations of unacceptable risk. An agent-based simulation is constructed to validate the performance of this technique along with testing its sensitivity to varying environments. The results demonstrated that a multi-phase search strategy, with a varying number of sensors deployed in each phase, could efficiently discover locations of unacceptable risk that could be managed via a perpetual monitoring, analysis, and remediation process. A number of promising well-defined future research opportunities also emerged from the performance of this research

Systems Theoretic Hazard Analysis (STPA) applied to the risk review of complex systems : an example from the medical device industry

Thesis (Ph. D.)--Massachusetts Institute of Technology, Engineering Systems Division, 2013.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Cataloged from student-submitted PDF version of thesis.Includes bibliographical references.Traditional methods to identify and document hazards, and the corresponding safety constraints, are lacking in their ability to account for human, software and sub-system interactions in highly technical systems. STAMP, a systems-theoretic accident causality model, was created to overcome these limitations. The application of STAMP hazard analysis method STPA to five sub-systems of the Paul Scherrer Institute's experimental PROSCAN proton therapy system demonstrated how STPA can augment design and risk review of existing complex systems. Two of the five human controllers active in treatment delivery, two of the four process attributes controlled by the PROSCAN facility, and one of the four control loops that control the beam to target alignment attribute were analyzed. In doing so, the following contributions were made: - Analyzed the regulations currently in place in the US and Europe for the marketing of external beam radiotherapy devices and, more generally, medical devices that do not contain radioactive materials, concluding that STPA would be acceptable in both regulatory systems; - Provided experience in applying STPA to a complex device. Information on efficacy was derived by comparing STPA results with an existing safety assessment but a more formal counterpart is needed for stronger evidence. Information on learnability and usability was obtained when an informal workshop showed that system designers, in the course of one day, could be taught to use STPA to push their thinking about yet to be designed system elements; - Demonstrated the applicability of STPA to an experimental radiotherapy facility and, through this feasibility check, potentially influenced the state of the art in hazard analysis of medical devices and health care delivery; - Advanced the STPA methodology by creating notations and a process to document, query and visualize the possibly large number of hazardous scenarios identified by STPA analyses, with the goal of facilitating their review and use by their intended audience; Showed how STPA is complementary to more traditional hazard analysis techniques such as fault and event trees. Their respective strengths can be summoned when STPA is used to identify areas on which to focus the investigation lens of traditional hazard analysis techniques. Keywords: STAMP, STPA, hazard analysis, risk analysis, risk management, proton therapy, medical devices, safety, certificationby Blandine Antoine.Ph.D

Research on the System Safety Management in Urban Railway

Nowadays, rail transport has become one of the most widely utilised forms of transport thanks to its high safety level, large capacity, and cost-effectiveness. With the railway network's continuous development, including urban rail transit, one of the major areas of increasing attention and demand is ensuring safety or risk management in operation long-term remains for the whole life cycle by scientific tools, management of railway operation (Martani 2017), specifically in developed and developing countries like Vietnam. The situation in Vietnam demonstrates that the national mainline railway network has been built and operated entirely in a single narrow gauge (1000mm) since the previous century, with very few updates of manual operating technology. This significantly highlights that up to now, the conventional technique for managing the safety operation in general, and collision in particular, of the current Vietnamese railway system, including its subsystems, is only accident statistics which is not a scientific-based tool as the others like risk identify and analyse methods, risk mitigation…, that are already available in many countries. Accident management of Vietnam Railways is limited and responsible for accident statistics analysis to avoid and minimise the harm caused by phenomena that occur only after an accident. Statistical analysis of train accident case studies in Vietnam railway demonstrates that, because hazards and failures that could result in serious system occurrences (accidents and incidents) have not been identified, recorded, and evaluated to conduct safety-driven risk analysis using a well-suited assessment methodology, risk prevention and control cannot be achieved. Not only is it hard to forecast and avoid events, but it may also raise the chance and amount of danger, as well as the severity of the later effects. As a result, Vietnam's railway system has a high number of accidents and failure rates. For example, Vietnam Rail-ways' mainline network accounted for approximately 200 railway accidents in 2018, a 3% increase over the previous year, including 163 collisions between trains and road vehicles/persons, resulting in more than 100 fatalities and more than 150 casualties; 16 accidents, including almost derailments, the signal passed at danger… without fatality or casual-ty, but significant damage to rolling stock and track infrastructure (VR 2021). Focusing and developing a new standardised framework for safety management and availability of railway operation in Vietnam is required in view of the rapid development of rail urban transport in the country in recent years (VmoT 2016; VmoT 2018). UMRT Line HN2A in southwest Hanoi is the country's first elevated light rail transit line, which was completed and officially put into revenue service in November 2021. This greatly highlights that up to the current date, the UMRT Line HN2A is the first and only railway line in Vietnam with operational safety assessment launched for the first time and long-term remains for the whole life cycle. The fact that the UMRT Hanoi has a large capacity, more complicated rolling stock and infrastructure equipment, as well as a modern communica-tion-based train control (CBTC) signalling system and automatic train driving without the need for operator intervention (Lindqvist 2006), are all advantages. Developing a compatible and integrated safety management system (SMS) for adaption to the safety operating requirements of this UMRT is an important major point of concern, and this should be proven. In actuality, the system acceptance and safety certification phase for Metro Line HN2A prolonged up to 2.5 years owing to the identification of difficulties with noncompliance to safety requirements resulting from inadequate SMS documents and risk assessment. These faults and hazards have developed during the manufacturing and execution of the project; it is impossible to go back in time to correct them, and it is also impossible to ignore the project without assuming responsibility for its management. At the time of completion, the HN2A metro line will have required an expenditure of up to $868 million, thus it is vital to create measures to prevent system failure and assure passenger safety. This dissertation has reviewed the methods to solve the aforementioned challenges and presented a solution blueprint to attain the European standard level of system safety in three-phase as in the following: • Phase 1: applicable for lines that are currently in operation, such as Metro Line HN2A. Focused on operational and maintenance procedures, as well as a training plan for railway personnel, in order to enhance human performance. Complete and update the risk assessment framework for Metro Line HN2A. The dissertation's findings are described in these applications. • Phase 2: applicable for lines that are currently in construction and manufacturing, such as Metro Line HN3, Line HN2, HCMC Line 1 and Line 2. Continue refining and enhancing engineering management methods introduced during Phase 1. On the basis of the risk assessment by manufacturers (Line HN3, HCMC Line 2 with European manufacturers) and the risk assessment framework described in Chapter 4, a risk management plan for each line will be developed. Building Accident database for risk assessment research and development. • Phase 3: applicable for lines that are currently in planning. Enhance safety requirements and life-cycle management. Building a proactive Safety Culture step by step for the railway industry. This material is implemented gradually throughout all three phases, beginning with the creation of the concept and concluding with an improvement in the attitude of railway personnel on the HN2A line. In addition to this overview, Chapters 4 through Chapter 9 of the dissertation include particular solutions for Risk assessment, Vehicle and Infrastructure Maintenance methods, Inci-dent Management procedures, and Safety Culture installation. This document focuses on constructing a system safety concept for railway personnel, providing stringent and scientific management practises to assure proper engineering conditions, to manage effectively the metro line system, and ensuring passenger safety in Hanoi's metro operatio