issc 2016 program - orlando - 2016-07-25.indd

34TH INTERNATIONAL SYSTEM SAFETY CONFERENCE FLOOR PLAN

Breakout Rooms

Second Floor

Breakout Rooms

First Floor

General SessionRegistration

Program & Abstracts | 1

ORGANIZING COMMITTEE

CONTENTS

Gary BramanConference Chair, Media and Marketing Chair, Off-Site Event Coordinator

Pam KniessBudget Committee Chair

Lynece PfleddererProtocol Chair

Joe DowdFacilities Chair

Pam WilkinsonDirector of Conferences

Cathy CarterRegistration Committee

John HewittTechnical Program Chair

Don SwallomWebmaster

Maury HillInternational Committee Chair

Gerry EinarssonConference Co-Chair

General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Special Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Greetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Speakers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Panels/Roundtables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Paper Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2 | 34th International System Safety Conference

© 2015 LOCKHEED MARTIN CORPORATION 7451b (6/16)

AT LOCKHEED MARTINWE’RE ENGINEERING A BETTER TOMORROW.VIP. Oil and Gas. EMS. SAR. No matt er the mission, Sikorsky provides safe and reliable performance. Fly Out. Fly Back. Fly Safe.™

Learn more at lockheedmarti n.com/sikorsky or contact your Sikorsky representati ve.

WHATEVER YOUR MISSION

THE SIKORSKY S-76D™ HAS YOU COVERED.

Client: Trade Shows CSSContent Contact: Kathryn Malerba 203-402-3896Ad Title: S-76D Has You Covered Job Title: 7451b_S76D-ad_ISSCDestination/Publication: ISSC ConferenceTrim Size: 8.25 x 10.5Date: June 30, 2016 1:35 PM

Produced by: Sikorsky Creative ServicesCreative Contact: Matt Grasso 203.386.6059 [email protected] Workfl ow: n/aSikorsky Aircraft CorporationThis Page Does Not Contain Export Controlled Technical Data


GENERAL INFORMATIONRegistration Desk. The Registration Desk is in the Atlantis Room, 1st floor.

Badges & Special Event Tickets. Go to the Registration Desk upon arrival to pick up your badge . All personnel must display a 34th ISSC badge while attending sessions, luncheons, and social events . Once a badge is issued, it is the sole responsibility of the registrant to ensure that it is not lost . If you are a sponsor, the name on each badge can be changed as often as necessary between sessions, if approved by Registration . Exhibitor badges are non-transferable .

Special event tickets may be purchased by spouses and guests at the Registration Desk at least 24 hours before the event. Tickets for the Wednesday night off-site event will be sold for spouses and guests . Tickets for Tuesday, Wednesday, and Thursday luncheons will also be sold at the Registration Desk at least 24 hours before the event .

Chapter Meeting Rooms. Meetings rooms are available to the chapters to hold their monthly meetings . Please reserve your room at the registration desk .

Phone/Tablet App. NEW THIS YEAR! Get the latest updates on your smartphone or tablet . Download the app from the 34th ISSC web site issc2016 .system-safety .org .

Transportation. In order to get around the city, Orlando provides several transportation options . First, there are several rental car services available including Enterprise Rent-A-Car, Hertz, and others .

Mears Taxi of Orlando is a reliable way to travel . Once in Orlando, you can call (855)463-2776 for service or make a reservation online at mearstransportation .com .

The Orlando regional public transportation system is called LYNX, a public bus system that services all of Central Florida . LYNX bus stops are often marked by a round sign with either a pink paw or pink bus symbol . Standard bus fare is $2 per person one way, with free transfers . You can get daily passes on the bus ($4 .50) and weekly passes for $16 which have to be bought in advance, either on the web or from certain outlets in the area. In addition, LYNX also offers a free bus system within Downtown Orlando called LYMMO . If you plan on using LYNX it is strongly recommended that you visit the official website for route information: www.golynx.com or call 407-841-LYNX .

Orlando also enjoys a local commuter rail system, SunRail . SunRail trains operate every 30 minutes during "peak" morning (5:30 a.m.-8:30 a.m.) and afternoon (4:00 p.m.- 7:00 p .m .) rush hours; and at two-hour intervals during non-peak hours . For more information, please visit www .sunrail .com, or call SunRail's toll-free Customer Service Center at 1-855-RAIL-411 (724-5411), Monday through Friday from 5:30 a.m. to 9:00 p.m.

Tutorial Program and CEUs. Continuing Education Units (CEUs) will be issued by the 2016 ISSC for attending the conference tutorials . To receive CEUs for a tutorial, you must attend the entire tutorial . You must sign in after returning from any breaks that occur during the tutorial, and you must be present at the end of the tutorial. The certificates will be issued on the basis of 0 .1 CEU per instruction contact hour .

CEU Certificates. NEW THIS YEAR! In our efforts to GO GREEN, CEU certificates will be emailed to all attendees that successfully complete tutorials at the 2016 ISSC . Similar to prior years, you must sign in at the beginning of the session, after returning from each break, and sign out at the end to receive credit and certification. The email will come from issc@iplanitmeetings .com and will be sent to the email used in conjunction to your conference registration . If you would like to submit an alternate email address, please stop by the registration desk .

Dress Code. We would like you to feel comfortable while you are in the sessions, so we advise “business casual” attire . The Awards Luncheon on Thursday is traditionally the time when you may want to dress more formally with business dress. All off-site events are business casual.

Messages. An easel is located in the registration area to post conference information and messages to attendees .

34th ISSC Daily News. The daily news will be available at 7:30 each morning and can be picked up at the Registration Desk .

Spousal Program. Spouses, other family members, and friends will meet in room Palani B on the second floor after the speaker’s breakfast to make their daily plans . Information and maps will be provided and personnel will be available to answer questions .

Tuesday Evening Conference Social. Please join us in the Odyssey Room for the Sponsors and Exhibitors Social . Snacks and hors d'oeuvres will be served, and a cash bar will be available for beverages .

Wednesday Evening Off-site. This year’s off-site event will take place at the SeaWorld’s Ports of Call . Enjoy a Caribbean buffet dinner while listening to live Caribbean music. The event begins at 6:30 pm with a cash bar and dinner served at 7:00. The SeaWorld Ports of Call® is a short 10 minute walk from the hotel, but if you require transportation, please notify personnel at the Registration Desk and transportation will be provided .

Speaker’s Breakfast. On Tuesday, Wednesday, and Thursday mornings from 6:30-8:00, there is a breakfast in Palani B on the second floor. Speakers, session chairs, tutorial presenters, and keynote speakers for that day are invited to attend .


w w w.apt-research.com

A-P-T Research, Inc.4950 Research DriveHuntsville, Alabama 35805

Phone: 256.327.3373Fax: 256.837.7786www.apt-research.com

Founded in 1990, APT (Analysis, Planning, Test) is a 100% employee-owned, small business located in Cummings Research Park near Redstone Arsenal in Huntsville, Alabama. Our corporate vision is to provide state-of-the-art expertise and ensure the highest levels of customer satisfaction.

Providing safe solutions. Protecting your most valuable assets.

System Safety Engineering & Analysis. Mission Assurance. Range Safety. Test Planning. Explosives Safety. Software System Safety. Industrial Engineering. Quality Engineering. Reliability Engineering. Software Development & Modeling. Independent Risk Assessments. Standards Development. And...

Each year since 2004, APT has offered training for both Government and Industrial S&MA professionals. Courses offered include System Safety Engineering, Software System Safety, Explosives Safety, and more. Classes are conducted at either our

Huntsville, AL, facility or on-site for clients and can be specifically tailored to meet the needs of the students’ organization.

For a comprehensive list of training classes and detailed course information, visit our website at www.apt-research.com/training

or e-mail [email protected].

Safety Training


MONDAYOpening Ceremonies1:30 p.m. – 3:00 p.m.Discovery BallroomSpeaker: Kathy Fox, Chair, Transportation Safety Board of Canada

General Membership Meeting3:30 p.m. – 5:00 p.m.Discovery BallroomSpeaker: Rodney Simmons, President, International System Safety Society

TUESDAYSpeakers’ Breakfast6:30 a.m. – 8:00 a.m.Palani Room

Spousal Program9:00 a.m.Palani Room

Sponsor/Exhibitor Luncheon11:30 a.m. – 1:30 p.m.Discovery BallroomSpeaker: Paul W. Hanley, Deputy Assistant Secretary of the Navy (Safety), Offi ce of the Assistant Secretary of the Navy (Energy, Installations and Environment)

Conference Reception with Sponsors & Exhibitors 6:00 p.m. – 9:00 p.m.Odyssey Room

SPECIAL FUNCTIONSWEDNESDAYSpeakers’ Breakfast6:30 a.m. – 8:00 a.m.Palani Room

Spousal Program9:00 a.m.Palani Room

International Luncheon11:30 a.m. – 1:30 p.m.Discovery BallroomSpeaker: Malcolm Jones, Atomic Weapons Establishment, United Kingdom

Off -Site Event 6:30 p.m. – 10:00 p.m.Reception, Dinner & Entertainment at Ports of Call outside Sea World Orlando

THURSDAYSpeakers’ Breakfast6:30 a.m. – 8:00 a.m.Palani Room

Annual Awards Luncheon11:30 a.m. – 1:30 p.m.Discovery BallroomSpeakers: Gary Braman & Dr . Rod Simmons

Best Paper Repeat Presentation3:30 p.m. – 5:00 p.m.Anemone Room

FRIDAYSAE International G-48 System Safety Committee Meeting8:00 a.m. – 5:00 p.m.Palani Room


GREETINGSFROM THE SOCIETY PRESIDENTWelcome to Orlando and the 34th International System Safety Conference! The ISSC- 2016 conference team has planned an excellent conference, with a great balance between technical papers, panel discussions, and tutorials that can enhance your knowledge and skills in system safety engineering, as well as a great line-up of invited speakers for the major luncheons .

The System Safety Society was organized in 1962 and incorporated in 1973, through the efforts of Roger Lockwood (USAF), C.O. Miller (USC) and Jerome Lederer (Flight Safety Foundation) . These individuals shared a vision of the importance of system safety and the contributions that it could make to the improvement of products, processes and services . Over the years, the system safety philosophy and supporting analytical techniques have been adopted in a variety of sectors: defense, aerospace, transportation, medical devices, nuclear, automotive, chemical process industries, electronics, public utilities, and consumer products . While the approaches taken in the various sectors have slight differences, as do the approaches taken in different countries, there is much that binds them together . This conference provides a great opportunity for you to pick up lessons learned in other sectors/regions and take them back home for application to your own systems and programs .

This year’s ISSC promises to be a superb professional development and networking event, with technical paper presentations, tutorials that carry CEUs, and outstanding speakers at our major events . The tutorials range from those designed for professionals who are new to the field to tutorials aimed at those who’ve been working in system safety for decades . The tutorial presenters and paper presenters are giving back to the profession, ensuring the continuous improvement of its practitioners . Be sure to check out the Job Board for employment opportunities, or use it to recruit qualified individuals.

The Society’s General Membership meeting will take place on Monday afternoon . You’ll have an opportunity to hear from your elected officers and directors. We will recognize our international attendees at Tuesday’s International Luncheon . I want to thank our sponsors and exhibitors for helping to make this conference possible . All attendees are invited to join us on Tuesday night for a social event in the exhibits area. Wednesday evening’s off-site event will be held at SeaWorld®. Don’t miss our awards luncheon on Thursday, and the Best Paper session on Thursday afternoon .

While you’re here in Orlando, be sure to take time out for informal chats with other conference attendees . I recall vividly the informal conversations that I had with the three founders, while attending ISSC’s early in my system safety career . I look forward to meeting each of you during the conference . I’m interested in your views on the Society and how the Society can help you to achieve your professional goals . If you’re not yet a member of the Society, now’s a great time to join .

In closing, I want to thank each of you for your personal commitment to your professional development and furtherance of the system safety profession . You’ll leave Orlando with new knowledge and insights . Have a great conference!

Rodney J. Simmons, Ph.D., CSP President, International System Safety Society


GREETINGSFROM THE CONFERENCE CHAIROn behalf of the Conference Planning Committee, I’d like to welcome you to Orlando and the 34th International System Safety Conference . The conference planning committee has worked hard to make this a world class event and is committed to providing an enriching experience for all at both day and evening events .

The theme for this year’s conference is “Developing System Safety Engineers for the Future” and the Technical Program Committee has established a superb range of technical papers, tutorials, and panels . While reviewing the papers and tutorials for the conference, the committee sensed a shift in the world of System Safety . In the past, System Safety was largely focused on the processes embodied in MIL-STD 882E, SAE ARP-4754, SAE ARP-4761, and similar requirements . Whereas System Safety was once something that applied to space exploration, it seems that it is now becoming part of everyday life . What was once space exploration has turned into commercial space travel, indicating how the world has changed during the life of our Society . The technical program this year features papers on topics such as automotive shift-by-wire . When most of us learned to drive and tinker with cars, we never envisioned having only electronics connecting the shift lever to the transmission, and all of the hazards associated with that change, but there is an excellent paper on just that topic this year. The hazards identified by System Safety analyses today come from new sources, such as cyber threats, the cloud, and SCADA/Industrial Control applications as described in several papers, panel discussions, and tutorials . The need for System Safety is expanding . So it seems that we are on the cusp of a great wave of change in System Safety . The System Safety profession, System Safety engineers, and the System Safety Society are all in the right place at the right time to be part of this seismic shift .

In addition to providing a world class technical program, the committee focused on making your stay in Orlando very rewarding for you and your family . The conference

is located in one of the most impressive hotels in one of the most beautiful cities in America – Renaissance Hotel at SeaWorld, Orlando, FL. The city offers numerous attractions whether it’s a trip for families, couples, single travelers or friends. You’ll find that Orlando offers unique experiences for every visitor to ensure an unforgettable vacation . Whether that means a week spent at theme parks or a weekend on the golf course, an Orlando getaway is whatever you want it to be . Search from theme parks, attractions, arts and culture, shopping, spas, golf, dining, outdoor adventures and nightlife to build your perfect itinerary . Additionally, SeaWorld is hosting our off-site event. The evening will include music throughout the evening, a buffet of Caribbean delicacies and a briefing by their animal training staff.

Attending the conference is a win-win situation for you and your family . Not only will you be able to experience an impressive technical program adding to your system safety professional development but are able to do it while enjoying your family and friends in one of the most beautiful cities in the country . If you have a special request or need assistance at any time during the conference, please feel free to see me or any of the conference committee members for assistance .

Enjoy your stay in Orlando!

Sincerely,

Gary Braman Conference Chair 34th ISSC


Kathy Fox, Chair of the Transportation Safety Board of Canada, Keynote SpeakerAppointed Chair August 21, 2014 Appointed Member July 2, 2007

Kathy Fox selected air traffic control as a career in 1974, and worked at Transport Canada

control towers in Baie- Comeau, Sept-Îles, Saint-Hubert and Montréal-Dorval, as well as at the Montréal Area Control Centre .

From 1982 until 1986 she was in charge of air traffic control training at the CEGEP Saint-Jean-sur- Richelieu, a cooperative training program coordinated by Transport Canada and the Quebec Ministry of Education .

Ms . Fox left operational controlling in 1992 to accept a developmental assignment with Air Traffic Services Headquarters in Ottawa, assuming progressively senior positions . She transferred to NAV CANADA in 1996 and became Director, Safety & Quality, in 1997; then Director, Air Traffic Services, in 1999. In 2000, she was appointed Assistant Vice-President, Air Traffic Services. She became Vice-President, Operations, on April 1, 2003 . As Vice-President, Operations, Ms . Fox was responsible for providing executive leadership and direction throughout NAV CANADA’s Operations Group. She retired from NAV CANADA in June 2007 and was appointed as a Member of the TSB in July 2007.

Ms . Fox received a Bachelor of Science degree and a Master’s degree in Business Administration from McGill University . She also completed a Master of Science in Human Factors and System Safety with Lund University in Sweden .

She has been extensively involved in other aviation activities for over 40 years, including sport parachuting and commercial aviation. She holds an airline transport pilot licence and flight instructor rating and has flown over 5000 hours. Ms. Fox is a recipient of the Fédération aéronautique internationale Paul Tissandier Diploma and the Queen Elizabeth II Anniversary Medal for her contributions to sport parachuting in Canada . She received the Transport Canada Aviation Safety Award in 1999 . In November 2004, she was inducted into the Quebec Air and Space Hall of Fame . Ms . Fox received the Elsie MacGill Northern Lights Award in 2010 and the David Charles Abramson Flight Instructor Safety Award in 2011 . She was also inducted into Canada’s Aviation Hall of Fame on June 9, 2016.

Paul W. Hanley, Deputy Assistant Secretary of the Navy (Safety), Office of the Assistant Secretary of the Navy (Energy, Installations and Environment), Sponsor/Exhibitor Luncheon Speaker

Mr . Hanley currently serves as the Deputy Assistant Secretary of the Navy (Safety) in the office of the Assistant Secretary of the Navy for Energy, Installations and Environment . Since January 2012, he has been responsible for policy, oversight, advocacy and strategic planning for the Department of the Navy’s safety and occupational health program, acquisition safety, fire protection and emergency services.

He joined the Senior Executive Service in March 2002 and has fifteen years of Federal service as a civilian.

From December 2010 until January 2012 he was the senior strategic communication expert at the National Defense University, where he led a project to use education as a catalyst for improved integration of communication efforts among the interagency community, the public and private sectors, and our allied and partner nations .

He served as the Senior Advisor to the Commander, Pacific Command for Communication Integration from October 2007 until November 2010, coordinating all defense strategic communication in the Pacific theater.

From March 2002 until September 2007 Hanley was Director of Strategic Communication for the Chairman, Joint Chiefs of Staff, serving as the senior communication advisor to two Chairmen and coordinating all public, legislative, and interagency communication for the Joint Staff.

In April 1993, Hanley founded and served as Chairman and CEO of DC Inc ., a private sector communication consulting firm specializing in planning and communication strategy for non-profits and small government agencies. DC Inc. has been inactive since March 2002 when he returned to federal service .

From May of 1992 until April 1993 Hanley was director of communication for the Defense Conversion Commission, chartered to examine the impact of reduced defense spending on US communities, companies, and individuals . He was responsible for all the Commission’s communication with the public and the Congress, including the arrangement and conduct of numerous public hearings throughout the US .

SPEAKERS


Hanley was commissioned in the US Navy in June 1968 through Officer Candidate School. He served on active duty for four years as a Surface Warfare Officer and twenty years as a Public Affairs Officer, retiring in August 1992 as a Captain.

Hanley holds Bachelor of Arts (Honors) and Master of Arts degrees in English language and literature from Oxford University in England, and a Master’s degree in international relations from Claremont Graduate University in California . He is a graduate of the Industrial College of the Armed Forces in Washington, DC .

He is a founding Director of the Veterans Small Business Association, where he successfully lobbied Congress for millions of dollars to assist Veteran entrepreneurs; he is a member of the Public Relations Society of America, the National Press Club, and the US Navy Public Affairs Alumni Association, which he helped found; and he is a sometime adjunct professor at American University, where he has taught in the Graduate School of Communication .

Malcolm Jones, Atomic Weapons Establishment, United Kingdom, International Luncheon SpeakerMalcolm graduated from the University of Wales (Swansea) in 1964 with a first class degree in physics and followed this in

1967 with a PhD in Solid State Physics. He joined the UK’s Atomic Weapons Establishment (AWE) in December 1967 and has been at that establishment ever since but took partial retirement in 2007 . His career at AWE has covered a multitude of physics and engineering subjects all supporting the UK’s nuclear warhead programmes . His experience has ranged over electro-explosive subject areas, safety arming and fuzing architectures and independent assessment of warhead system safety . For a decade covering the 1990s to early 2000s he led AWE’s Distinguished Scientists group covering a number of key technical studies in support of AWE’s major programmes . His ‘start’ in the system safety arena began with an independent safety study of the UK’s Chevaline warhead system and this was followed by similar independent safety assessment work for follow on systems . This work led to his support to the UK’s MOD in the development of their top level design safety requirements for nuclear weapons which are still extant and to leading independent peer reviews of AWE’s warhead assembly processes . Malcolm together with US colleagues set in place a joint UK/US warhead

safety assessment Working Group and he has led the UK contributions for over 20 years as the UK chair. In addition he sits as an independent panel member which advises on Sandia National Laboratories’ Surety Programmes . Over the past two decades he has developed a growing interest in general organisational safety culture and the potential root cause weaknesses that can give rise to ensuing technical or human failure related mishaps .

Currently he holds the position of Scientific Adviser to AWE’s Chief Scientist and to AWE’s Chief Engineer for Product (warhead) Assurance . He previously held the post of warhead Design Authority Scientific Adviser. He is a chartered physicist, a chartered Engineer and a Fellow of both the UK’s Institute of Physics and the International System Safety Society having supported the latter for over 2 decades . He is an adviser to a number of senior UK Ministry of Defence and AWE safety bodies . In 2004 he was awarded an MBE in the Queen’s Birthday Honours List for contributions to the UK defence industry and is also the second recipient of the John Challens’ Medal, which is AWE’s highest award for lifetime contributions to Science, Engineering and Technology . He has also been honoured by VNIIA in the RF for his work in fostering nuclear weapon safety collaboration between the UK and the RF.


SCHEDULE MONDAY, 8 AUGUST7:00-3:00 Registration

Discovery Ballroom1:30- 3:00

Opening Ceremonies

Keynote Speaker: Kathy Fox, Chair, Transportation Safety Board of Canada3:30- 5:00

International System Safety Society General Membership Meeting

TUESDAY, 9 AUGUST6:30-8:00 Speakers' Breakfast, Palani Room7:30-3:00 Registration9:00 Spousal Program, Palani Room

Anemone Labrid Bluegill8:00- 8:40

Software Safety 1 (Kady)

Use of Agile Practices when developing Safety-Critical SoftwareMyklebust, Stålhane, Hanssen

Reliability Engineering 1 (Flint)

Mission Reliability Assessment for Aircraft Based on Flight ParametersMa, Guan, Ma

8:50-9:30

System Safety Education 1 (Muniak)

Safety and Liability Risks for Government Contractors Entering Commercial MarketsChizek

System Safety Level Of Rigor: Software Versus HardwareBartos

Hard Landing Prediction with Improved PSO Based-BP Neural NetworkLi, Wei, Zhou, Du

10:00- 10:40

Safety Engineering Practice and Experience on Cross Integration of Interoperable Safety Critical Systems Developed by Multiple SuppliersShi

Product Safety Assessment Based on Bayesian Networks and Competing Risk Model with Multiple MechanismsWang, Wang, Wang, Xuan, Li

10:50-11:30

A Comprehensive Assessment of System Safety Degree Programs in the United StatesKady

11:30-1:30

Conference Luncheon honoring ISSC Sponsors & Exhibitors

Speaker: Paul W. Hanley, Deputy Assistant Secretary of the Navy (Safety), Office of the Assistant Secretary of the Navy (Energy, Installations and Environment)

1:30-2:10

Tutorial

Hazard Tracking System for a System-of-SystemsZenga

Tutorial

Understanding Risk Management for the Medical Device IndustryElahi

Reliability Engineering 2 (Bower)

Health and Safety Assessment and Prediction for Motors Based on An Improved SVM ModelXuan

2:20-3:00

The Application of Pattern Recognition in Landing Safety Warning with QAR DataHu, Zhou, Wei, Chang

3:30-4:104:20-5:006:00- 9:00

Conference Reception with Sponsors & Exhibitors

Odyssey Room


Fantail Damselfi sh Grouper8:00- 8:40

Hazard/Risk Management 1 (Gonzalez)

Hazard Analysis for Facilities and Process SafetySiow

Tutorial

System Safety Part 1: Hands-On System Safety BasicsWinkelbauer

8:50-9:30

A Multi-Perspective Hazard Identifi cation Approach for Complex System-of-SystemsChan

10:00- 10:40

Enabling an Error Prevention Collective Corrective Action Process by Performing Risk Assessment on Historical DataLaabs

Cyber Safety (Schedl)

Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control SystemsJohnson, Harkness, Evangelopoulou

10:50-11:30

Activity Based Root Cause AnalysisDing

Long-Range Safety Forecast - Partly CloudyBettis

11:30-1:30

1:30-2:10

Cyber Safety (cont'd)

You Outsource the Service but Not the Risk:Supply Chain Risk Management for the Cyber Security of Safety Critical SystemsJohnson

Tutorial

System Safety Part 2: Practical Generation of Safety Cases With the Help of GSNGerstinger

2:20-3:00

3:30-4:10

Tutorial

Threat Management for the Cyber Security of Safety Critical SystemsJohnson

4:20-5:006:00-9:00


SCHEDULE WEDNESDAY, 10 AUGUST6:30-8:00 Speakers' Breakfast, Palani Room 7:30-3:30 Registration9:00 Spousal Program, Palani Room


System Safety Education 2 (Owens)

The Challenges of Being a Safety EngineerAyyildiz

Software Safety 2 (Thomas)

Challenges of Applying Conventional Software System Safety to Agile Software Development ProgramsWest, Emery

Reliability Engineering 3 (Laabs)

Utilizing Simulated Testing to Determine Probability of Failures in Safety Critical SystemsThomas, Eichelberger, Lee

8:50-9:30

Taking System Safety Back To The FutureFlint

Model Based Development and Software System SafetyHendrix

10:00- 10:40

Unmanned Systems (Durmaz)

Architecting a Safety Case for UAS Flight OperationsDenney, Pai

10:50-11:30

11:30-1:30

Conference Luncheon honoring our International Participants

Speaker: Malcolm Jones, Atomic Weapons Establishment, United Kingdom1:30-2:10

Tutorial

New Engineer Focus – System Safety Process Applied to High Voltage Automotive Propulsion SystemVernacchia

Tutorial

Introduction to Field Programmable Gate Array (FPGA) TechnologyFulks

Reliability Engineering 4 (Oliver)

Modeling and Analysis of Mishap Data Using Artificial Neural NetworksGreen

2:20-3:00

Effect of Dormant Failures on Safety BarriersDakessian

3:30-4:10

Tutorial

Introduction to Data Coupling and Control CouplingBhattacharya

Particular Risk Analyses Studies of a MALE Class UAV and Lessons LearnedOzet

4:20-5:006:30- 10:00

Evening Off-site

Reception, Dinner & Entertainment at Ports of Call outside Sea World Orlando


Fantail Damselfish Grouper8:00- 8:40

Hazard/Risk Management 2 (Kraemer)

Systematic Approach to Perform Safety Assessment on Vessel PlatformsTan

Panel/Roundtable

The Most Pressing Issues Facing System SafetyWest

Tutorial

System Safety Part 3: Cyber Safety and SecurityGerstinger

8:50-9:30

Defining Safety Requirements for Human-Machine InteractionsVernacchia

10:00- 10:40

Literal and Conservative Application of MIL-STD-882E in Space Launch and Satellite ProcurementMcDougall

10:50-11:30

11:30-1:30

1:30-2:10

Tutorial

Developing Electronic Systems for Safety-Critical ApplicationsHammett

Panel/Roundtable

Reestablishing Engineering and Systems as the Fundamental Precepts of the System Safety Profession and the ISSSFlint

Tutorial

Investigating Process for Space Mishaps (Lessons Learned and Tabletop Exercise)Kaiser

2:20-3:00

3:30-4:10

Panel/Roundtable

Developing Future System Safety engineers through STEM OutreachOwens4:20-

5:00

6:30- 10:00

O F F - S I T E E V E N TWednesday, 10 August, 6:30-10:00 p.m.

SEA WORLD PORTS OF CALLCaribbean buffet. Caribbean music.


SCHEDULE THURSDAY, 11 AUGUST6:30-8:00 Speakers' Breakfast, Palani Room


Tutorial

System Safety Engineering and Management: An OverviewBraman

Tutorial

MIL-STD-882E Applies to All Your Software - Not Just the Code You WriteBower

Miscellaneous (Johnson)

The Movement of Inorganic Cadmium Through the Environment: Dangerous Goods IIZito

8:50-9:30

Organisational Problems - Potential Causes - Unintentional ConsequencesJones

10:00- 10:40

Tutorial

Safety and Human PerformanceBraman

10:50-11:30

11:30-1:30

Annual International System Safety Society Awards Luncheon

Speakers: Gary Braman & Dr. Rod Simmons1:30-2:10

2:20-3:00

Weapons Safety (Barondes)

Unique Hazards Found in Laser Weapon Systems and Potential MitigationsSivapragasam

3:30-4:10

Best Paper Presentation Tools and Techniques for Safety-Specific Software TestingConnell

4:20-5:00

FRIDAY, 12 AUGUSTPalani

8:00- 9:30

Panel/Roundtable

SAE International G-48 System Safety Committee MeetingWest9:30-

5:00


Fantail Damselfish Grouper8:00- 8:40

Hazard/Risk Management 3 (Fruehling)

How to Create a Sound Risk Management Process That is Compliant with ISO 14971Elahi

Tutorial

Understanding Functional Safety Management Methods Evolution for Tomorrow’s Civil and Military Aircraft Development and Safety AssessmentSchrage

Tutorial

Responsibilities and Potential Liability of System Safety EngineersChizek

8:50-9:30

Role of Regulators in Safeguarding the Interface between Autonomous Systems and the General PublicJohnson

10:00- 10:40

How Complex Systems Fail-II: Bounding the “Black Swan” ProbabilityZito

10:50-11:30

How Complex Systems Fail-III: The System Risk SurfaceZito

11:30-1:30

1:30-2:10

Human Factors (Kaiser)

The Human Factors Case Concept and Its Value for the Safety CasePožgaj, Fritz, Schedl

Panel/Roundtable

Developing a System Safety Expert – Perceptions from industry, academia and governmentBraman

Tutorial

Methodology to Assess the Safety Risks for Software Intensive SystemsTeppig

2:20-3:00

Workplace Safety and Health (Kaiser)

Don’t Turn a Blind Eye to Safety: Protecting Personnel from Harmful LasersDonda

3:30-4:10

Tutorial

Protecting Personnel from Harmful LasersDonda

4:20-5:00


TUTORIALSThe conference organizers have an information-packed tutorial program planned for the ISSC 2016 . Attending tutorials, as well as other elements of the Technical Program at the ISSC 2016, meets the requirements for Continuance of Certification credit through the Board of Certified Safety Professionals (BCSP) . The International System Safety Society will issue Continuing Education Units (CEUs) for participation in the conference tutorials . CEUs are issued on the basis of 0 .1 CEU per instructional contact hour . You must be present for at least 90% of the tutorial to receive CEUs and a tutorial completion certificate. Your attendance is verified via the process outlined below:• At the start of the tutorial, clearly print your name in the

attendance form exactly as you want it to appear on the certificate.

• After returning from each break during the tutorial (morning, lunch, and/or afternoon), initial the attendance form .

• You must be present at the end of the tutorial to sign out and qualify for your certificate and the CEUs. NEW THIS YEAR – In our efforts to GO GREEN, CEU certificates will be emailed to all attendees who successfully complete tutorials .

TUESDAY // 08-09 // 8:00-11:30 // GROUPER TUTORIAL 0.3 CEU

System Safety Part 1: Hands-On System Safety BasicsInstructors: Werner WinkelbauerAfter some general background on system safety and the motivation for its application an overview of a generic safety process (best suited for small to medium sized projects), in relation to the project lifecycle, is given . For each major project phase the respective safety process phase, safety objectives and some state of the art analysis techniques are explained . Special emphasis is put on a case study for the major steps of a safety analysis, including Functional Failure Modes and Effects Analysis and Fault Tree Analysis. The content of this tutorial is based on experience from an international working company .

Learning outcomes:

Upon successful completion of this tutorial, the attendee will be able to:1 . Understand the basic principles of system safety and the

motivation for its application2 . Understand the role of the safety lifecycle within the proj-

ect lifecycle3 . Understand some major safety analysis techniques4 . Perform an Functional Hazard Assessment

TUESDAY // 08-09 // 1:30-5:00 // ANEMONE TUTORIAL 0.3 CEU

Hazard Tracking System for a System-of-SystemsInstructor: Tony ZengaIn this tutorial, we will discuss management of hazards as they mature through a typical project lifecycle . This will be done using a Hazard Tracking System for a sample System-of-Systems program focusing on common problems and offering techniques to address them . The tutorial will be a workshop environment, where participants will be encouraged to offer problems from their own experience for the group to discuss .

TUESDAY // 08-09 // 1:30-5:00 // LABRID TUTORIAL 0.3 CEU

Understanding Risk Management for the Medical Device IndustryInstructor: Bijan ElahiIn this tutorial the students learn the language and concepts of risk management for the medical device industry . Workshop practices will be offered in a dynamic, educational and enjoyable session .

TUESDAY // 08-09 // 1:30-5:00 // GROUPER TUTORIAL 0.3 CEU

System Safety Part 2: Practical Generation of Safety Cases With the Help of GSNInstructor: Andreas GerstingerThis tutorial will introduce you to the concept of safety cases . Safety cases are structured arguments that support the claim that a system is safe to be used for a given application in a given environment . Several standards require the production of such safety cases as a prerequisite for approval . The tutorial will highlight good and bad practices when developing safety cases and will introduce you to a notation specifically developed for the generation of safety cases, the Goal Structuring Notation (GSN) . There will be practical examples which need to be solved by the attendees, so that hands-on practice and experience is gained .

Upon completion of the presentation, the attendee will be able to: • Understand the concept of safety cases• Understand the benefits and potential pitfalls of safety

cases• Give an overview of Goal Structuring Notation (GSN)• Read GSN• Create simple arguments in GSN


TUESDAY // 08-09 // 3:30-5:00 // DAMSELFISH TUTORIAL 0.1 CEU

Threat Management for the Cyber Security of Safety Critical SystemsInstructor: Christopher Johnson There has been a growing number of cyber attacks on critical infrastructures around the globe . At the same time, the increasing use of Commercial Off The Shelf (COTS) software and the horizontal integration of high-reliability systems increase our vulnerabilities . This tutorial will use a series of case studies drawn from these previous attacks to show how organizations can identify and respond to the changing threat landscape. We will highlight key differences between safety and security critical systems – safety hazards tend to evolve slowly over time with changes in the operating environment or system requirements . In consequence, safety risk assessments can gradually be updated over time . In cyber security, however, new attack methods or adversaries can totally undermine a cyber-threat assessment over night . The tutorial will end by presenting a range of solutions that reduce cyber risks across a range of industries including transport, healthcare and SCADA/Industrial Control applications .

Learning Outcomes: By the end of the tutorial, attendees will:• Possess an understanding of recent attack methods;• Be able to develop an initial threat model that can be used

to guide the allocation of cyber counter measures;• Have knowledge of state sponsored, advanced persistent

threats as well as commercially motivated attacks;• Possess an overview of the problems in improving cyber

security in safety critical systems (including conflicts between safety and security standards);

• Have an understanding of countermeasures (technical, organizational, human factors) .

Style of Presentation The tutorial will build on a number of case studies based on previous cyber attacks in safety critical infrastructures throughout Europe and Asia . We will use lecture presentations to introduce topics and then open discussion from the audience . The studies of cyber attacks will be drawn from air traffic management, nuclear, healthcare and military domains .

WEDNESDAY // 08-10 // 8:00-11:30 // GROUPER TUTORIAL 0.3 CEU

System Safety Part 3: Cyber Safety and SecurityInstructor: Andreas GerstingerSafety and Security are two characteristics that are required in many systems simultaneously, such as in critical infrastructure like air navigation or public transport . The need for state-of-the-art security will continue to increase in the light of the continuously increasing number of cyber-attacks . Today’s safety-related systems frequently contain

interfaces to IP-networks and are often based on so-called COTS (commercial-off-the-shelf) components resulting in rising risks of cyber-attacks . The tutorial will address this growing importance of security in safety-related systems . This tutorial provides a holistic view on the rising topic of Cyber Safety with respect to the connection between security threats and safety hazards . Participants learn about the often conflicting requirements of Safety and Security and gain knowledge on possible analysis approaches .

Learning outcomes: Basic Understanding of • Security• Security Incidents in Safety-Critical Systems• Safety and Security Contradictions and Synergies• Principles of a Security Risk Assessment

WEDNESDAY // 08-10 // 1:30-5:00 // ANEMONE TUTORIAL 0.3 CEU

New Engineer Focus – System Safety Process Applied to High Voltage Automotive Propulsion SystemInstructor: Mark VernacchiaThe tutorial includes interactive sessions for attendees to participate in the identification of associated safety hazards, development of interaction impact through HAZOP analysis, and the definition of high level requirements for hybrid and electric vehicle high voltage propulsion systems .

WEDNESDAY // 08-10 // 1:30-3:00 // LABRID TUTORIAL 0.1 CEU

Introduction to Field Programmable Gate Array (FPGA) TechnologyInstructor: Charles FulksField Programmable Gate Arrays are becoming ubiquitous in electronics . Many people misunderstand the nature of these devices and confuse their development with software development . This session introduces Field Programmable Gate Array (FPGA) technology and development . This is intended for engineers and management who need to understand FPGAs, but who do not intend to personally develop FPGA designs . The attendee will leave with a solid foundation of FPGA technology, development process, and management . They will also have basic knowledge of common errors and indicators of design quality (red flags).

WEDNESDAY // 08-10 // 1:30-5:00 // FANTAIL TUTORIAL 0.3 CEU

Developing Electronic Systems for Safety-Critical ApplicationsInstructor: Robert HammettOutline of Session:• Motivation (Safety, Economic, Regulatory) • Review of risk and reliability


• Classification of Systems (fail-safe, fail-operational, continuously available, . . .)

• Achieving high reliability and safety with electronics (Fault avoidance, redundancy, redundancy management, software reliability)

• Types of highly reliable systems • Typical design features (redundancy, voting, cross-

strapping, dissimilar designs, fault-isolation regions) • Case studies of typical systems • Speculation on future trends • Conclusions

WEDNESDAY // 08-10 // 1:30-5:00 // GROUPER TUTORIAL 0.3 CEU

Investigating Process for Space Mishaps (Lessons Learned and Tabletop Exercise)Instructor: Jackie KaiserOutline of Session:

Investigating Process for Space Mishaps (Lessons Learned and Tabletop Exercise) 1 . Investigating Process – General

a . walk thru a general simple investigation from a prior mishap (lessons learned and historical examples)

b . Planning ahead for potential investigating officer (training, guidance, read prior mishaps, go kit – stuff on CD, clothing, hotel, car)

2 . 2 . First day of investigation a . safe the “site” (safe the satellite) b . locking down “site” (ISB, sequester data, interviews

– write down (privilege vs non privilege), on-orbit, terrestrial)

3 . Investigating – planning the investigation a . establishing a chain of command b . gather and review of evidence and data c . establishing a timeline of events d . establishing potential interviewees e . visiting the site/s if off-site f . Planning – purpose of visit (e.g. info needed) g . conducting the investigating – who’s responsible for

what? Board phases? 4 . Organizing and writing the report

a . analysis and/or testing b . fishbone (e.g.) c . getting to root cause d . report writing

i . writing by committee, audience, follow the thread, 5 why/s/therefore

e . Following up on recommendations 5 . Tabletop exercises (pick one)

a . Launch mishap b . Orbital mishap

WEDNESDAY // 08-10 // 3:30-5:00 // LABRID TUTORIAL 0.1 CEU

Introduction to Data Coupling and Control CouplingInstructor: Shan BhattacharyaTo ensure systems behave reliably, software development teams in the commercial and defence avionics industries typically follow DO-178C as guidance . This guidance details steps across the life-cycle from process and certification planning, to development, and verification, using a series of process objectives. One of these specific objectives A 7-8 states:

“Test coverage of software structure (data coupling and control coupling) is achieved .”

This particular objective, associated methodology and artifacts, has been interpreted a variety of ways, often resulting in confusion and rework . This paper and presentation aims to provide practical approaches to automating much of the process while clarifying the methodology .

Topics covered include:• The evolution of the data coupling and control coupling

objective from DO-178B to DO-178C• Data and control coupling concepts• Potential linker related issues and how to mitigate them

using control coupling analysis• Measuring procedure call coverage to ensure control

coupling objectives are met• Measuring dynamic data flow coverage to achieve data

coupling objectives in the context of various scopes of tests

THURSDAY // 08-11 // 8:00-9:30 // ANEMONE TUTORIAL 0.1 CEU

System Safety Engineering and Management: An OverviewInstructor: Gary BramanThis tutorial focuses on the integration of system safety into all phases of a system's life-cycle . The system safety process is examined and evaluated beginning with the initial design of the system through testing, production, operational employment, and system disposal . Several system safety analysis techniques are also examined to ensure roles and responsibilities of the system safety engineer are understood . The content of the tutorial is based on MIL-STD-882 and SAE ARP-4761 . The objectives of the tutorial are to provide a history of system safety, define safety terms, provide an overview of the system safety process to include the hazard reduction precedence; and provide an overview of hazard analysis techniques and system safety documents . Finally it will provide an overview of managing human factors issues in system design . This tutorial is designed to provide the newly assigned system safety engineer, program managers, integrated process team (IPT) leaders, and other program


engineers a comprehensive overview of the system safety process and how system safety is integrated into the life cycle of a system from the perspective of the System Safety Engineer. The other engineering disciplines who can benefit from this tutorial include human factors, structures, software, reliability and maintainability, electrical, and systems engineering .

This tutorial focuses on the integration of system safety into all phases of a system's life-cycle . The system safety process is examined and evaluated beginning with the initial design of the system through testing, production, operational employment, and system disposal . Several system safety analysis techniques are also examined to ensure roles and responsibilities of the system safety engineer are understood . The content of the tutorial is based on MIL-STD-882 and SAE ARP-4761 . The objectives of the tutorial are to provide a history of system safety, define safety terms, provide an overview of the system safety process to include the hazard reduction precedence; and provide an overview of hazard analysis techniques and system safety documents . Finally it will provide an overview of managing human factors issues in system design .

THURSDAY // 08-11 // 8:00-12:30 // LABRID TUTORIAL 0.4 CEU

MIL-STD-882E Applies to All Your Software - Not Just the Code You WriteInstructor: Douglas BowerHands on development of software systems safety artifacts based on application of present material, such as: Functional Hazard Analysis, Safety Criticality Assessment, and evidence of applications of Level of Rigor .

THURSDAY // 08-11 // 8:00-9:30 // DAMSELFISH TUTORIAL 0.1 CEU

Understanding Functional Safety Management Methods Evolution for Tomorrow’s Civil and Military Aircraft Development and Safety AssessmentInstructor: Dan SchrageI. Part 1: Review of Functional Safety Management and Its Application in Different Industries ( 1 hour)1 . What is a Safety Related System?2 . Why is Functional Safety Necessary?3 . Review of IEC 61508: Functional Safety of Electrical/Elec-

tronic/ Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES) - an international standard of rules for programmable systems applied in industry

4 . Automotive application field: ISO/DIS 26262: Road vehicles – Functional safety adaptation of IEC 61508 specific to the application sector of electrical and electronic systems in the road vehicle industry

5 . Comparison of Automotive and Aerospace Functional Safety Approaches

II. Part 2: Review of Functional Safety Management for Today’s and Tomorrow’s Civil & Military Aircraft and Systems Development (1 hour)1 . Review of ARP 4754A: Development of Civil Aircraft and

Systems2 . Review of ARP 4761: Guidelines and Methods for Con-

ducting the Safety Assessment Process on Civil Airborne Systems and Equipment

3 . Review of MIL-STD-882E: System Safety4 . Comparison of ARP 4761 and MIL-STD-882E5 . Review of DO-297: Integrated Modular Avionics

III. Part 3: Examples of PASA and PSSA for Aerospace Applications (1 hour)1 . Fixed Wing Commercial Aircraft2 . Military Helicopter Upgrade3 . Spacecraft4 . Unmanned Aerial Systems (UAS)

THURSDAY // 08-11 // 8:00-9:30 // GROUPER TUTORIAL 0.1 CEU

Responsibilities and Potential Liability of System Safety EngineersInstructor: Martin ChizekThe tutorial will begin with a discussion of product manufacturer liability based upon traditional theories of negligence, strict liability, misrepresentation and breach of warranty . Negligence focuses on the conduct of the defendant when designing, manufacturing and marketing the product . Strict Liability focuses on the alleged defect in the product as defined in state case law and/or the Restatement of Torts . False or misleading information or promises provided by the seller of the product may result in allegations of Misrepresentation, or Breach of Warranty under the Uniform Commercial Code. Affirmative defenses available to the manufacturer defendant will be discussed, including the Government Contractor Defense .

Liability of Safety professionals will be the second topic . The legal duties (Standard of Care) of engineers will be discussed, as well as contractual obligations and the definition of gross negligence based on various state laws and professional engineering boards .

The majority of the tutorial will consist of a review of recent high profile cases involving allegations of poor judgment or misconduct by engineers and safety professionals . Using publicly available information, each case study will include the factual background, the allegations of negligence and/or product defect, the investigation and probable root causes, conduct of the parties involved, and the legal outcome and findings in each case. Finally, there will be discussion of what could have been done to prevent the incident . Each case will conclude with “lessons learned” for System Safety Engineers of all experience levels that correlate the concepts addressed in the previous sections .


Proposed case studies will include the following:• Peanut Corporation of America, Salmonella Contamination• Deepwater Horizon Blowout• Takata Airbag Recall• Volkswagen Emission Testing• General Motors Ignition Switch Recall• Toyota Unintended Accelerations

THURSDAY // 08-11 // 10:00-11:30 // ANEMONE TUTORIAL 0.1 CEU

Safety and Human PerformanceInstructor: Gary BramanThis tutorial looks at human performance from a reactive and proactive perspective . The accident investigation process is reviewed along with a discussion of the areas of an accident investigation, the various types of human errors, why the human error occurred, and how they are prevented . From a proactive perspective of preventing human errors, the system safety process is reviewed with emphasis on how it affects design and the prevention of human errors .


Methodology to Assess the Safety Risks for Software Intensive SystemsInstructor: William TeppigThe tutorial defines a new construct/model that allows the analyst to assess system risks from errant software commands, as well as other faults, and provides a hierarchy of remedial actions that will allow the Program Manager to measure increased levels of safety for each increment of funding applied . In support of this goal, the construct defines the core basic unit of active systems and establishes the elemental function of software . Since, at its basic level, software is "stored intent" that has been mechanized into a system that fulfills the designer's intentions when experiencing a prescribed environment . The tutorial recognizes that the current software "safety" analyses focus on enhancing the reliability/quality of the code instructions which is not the dominant source of induced errors in active software controlled systems . MIL STD 882E provides little actionable guidance for assessing the "rigor" of the level of risk control inherent in the design . Directing the analyst to a category of software analyses begs the question of "Does this process enhance safety or merely reduce the available budget?" The tutorial defines the real-world design requirements provides system design architects with actionable guidance to enhance the error protection rigor of their designs and the software control commands . The presentation also proves the uselessness of stating, "Software never fails!" It proposes a measureable, actionable, quantifiable definition of "Unknown State" risks in terms that are tailored to the Top Level Mishaps (TLM) that allow

definable remedial actions to be implemented simply within a specific system design to provide Program Managers with a real world progress scalar for risk acceptance of their systems . ($ of safety = $ of risk reduction) . The core basis of the proposed construct is the risk linkage between TLM lifecycle within the system design, the "Time to Detect", the Time to Stop and the emergence of a TLM "Tipping Point" . These design features are matched against the System State Condition sensing and the sensor array architecture distributed within the overall design . The tutorial describes examples of "good" and "bad" system designs and provides suggested remedial actions to lower risks from software command failures/ electrical faults, human errors, mechanical failures, and environmental influences. The tutorial proposes that these four factors are the energy releasing factors within an active system . An actionable "redefinition" of system "RIGOR" is proposed as opposed to the "guidance" within MIL STD 882E for software safety analysis . A decision tree proposing design alternatives for countering the risks from "unused firmware/reuse code", processor hardware failures and integrated processer errant code is also included in this tutorial providing further guidance for Program Manager's due diligence in risk reduction . Since "Time to Detect and Time to Stop" may vary according to the lifecycle of the Top Level Mishap, the tutorial describes design guidance for projecting TLM future "tipping points" and reduce the burden on the design's detection performance and/or its ability to preclude a mishap . The tutorial proposes an actionable definition of "Unknown State" for software risks and provides guidance to the designer to remedy the risks in a manner that correlates with the specific TLM . The tutorial proposes a matrix that can be tailored to each program to assess the probability of detection based on a scalar measuring the "State Sensor Performance" vs "State Condition Query Performance" . In summary, the tutorial establishes that the interpretation of state condition changes translated to the "code" is the dominant factor in software command failures and the system's architecture must be designed/redesigned to detect and stop the formation of Tipping Points before it is too late to stop!


Protecting Personnel from Harmful LasersInstructor: Anish DondaWhile lasers have many useful purposes for both commercial and military applications, they can also be hazardous if not operated safely . The outline for the tutorial is presented below . The concepts presented in this tutorial can be applied to any hazardous laser system . Laser Overview - Laser components - Laser operation - Laser Classes - Laser Parameters - Beam Size - Divergence - Power/Energy - Shape - Profile - Pulsed vs. Continuous Wave - Laser Hazards - Eye - Skin - Non-Beam - Laser regulations/specifications - Federal - State - Military - International - Hazard Controls - Engineering controls - Facility controls -


Procedural controls - PPE - Laser Safety Attributes - MPE - AEL - OD - NOHD - NSHD - Point source vs extended source - Aided vs unaided - Atmospheric attenuation - Tools - LIA - LHAZ - Easy Haz - Examples of laser calculations - Laser Classification - MPE Calculations - Pulsed Laser - 3 Cases - CW - Aided vs . unaided - Summary/Conclusions

PANELS/ ROUNDTABLESWEDNESDAY // 08-10 // 8:00-11:30 // DAMSELFISH

The Most Pressing Issues Facing System SafetyModerator: Dave West"The Most Pressing Issues Facing System Safety” will be a half-day panel consisting of 4 to 6 presentations by various experts from different companies or agencies. Presentation topics include items thought to be among the most important issues facing the System Safety community, as determined by discussion and deliberation at recent meetings of the SAE International G-48 System Safety Committee . The panel will be moderated by G-48 Committee Chair, Dave West . Panelists and attendees will be encouraged to confer with one another after each presentation, to seek consensus and offer feedback concerning whether the topic is indeed a pressing issue to individuals, their organizations, or the System Safety field in general; and whether the G-48 Committee should prepare a position on the issue or pursue any actions with regard to it . This year’s edition, at the 34th ISSC in 2016, will be the fourth annual installment of this panel .

WEDNESDAY // 08-10 // 1:30-3:00 // DAMSELFISH

Reestablishing Engineering and Systems as the Fundamental Precepts of the System Safety Profession and the ISSSModerator: Lee Flint Panelists: Charlie Hoes, Mark Vernacchia, Pam Wilkinson, Rod Simmons, Russ Mitchell, Don Swallom, Mike McKelvey, Tiffany OwensIt seems that “paradigm shifting” is the hot topic in our Society at the moment . When I looked up what a paradigm shift actually is – “a fundamental change in approach or underlying assumptions” – I found that it very succinctly describes one my primary concerns with the direction the system safety profession and our Society has taken since I joined up some 28 years ago . That concern is a shift by our Society and the profession away from its “systems” (plural) and “engineering” roots . Downplaying (or even dropping) “engineering” and “systems” in the system safety lexicon has been detrimental to both the ISSS and to the profession . Given the current interest in paradigm shifting, discussions with fellow members, and some recent Journal articles, the time

seems right to present this concern and promote a discussion within the system safety community . It is not intended to stir up a controversy or argument but rather to promote some introspective thinking and discussion .

WEDNESDAY // 08-10 // 3:30-5:00 // DAMSELFISH

Developing Future System Safety Engineers through STEM OutreachModerator: Tiffany OwensPanelists: Christopher Green, Rani Kady

Roundtable discussion on Science Technology Engineering Math (STEM) outreach and how it can provide exciting and engaging ways to inspire youth to pursue STEM careers . The panel and attendees will be engaged in discussion related to STEM such as implementing outreach programs, sample STEM activities, and developing partnerships . Additional discussion and focus on STEM outreach activities to expose youth to system safety engineering . Roundtable discussion topics will include: 1 . Why STEM outreach? 2 . STEM outreach programs . 3 . Incorporating system safety into STEM outreach . 4 . Sample STEM outreach activities . 5 . Q&A from the audience

THURSDAY // 08-11 // 1:30-3:00 // DAMSELFISH

Developing a System Safety Expert – Perceptions from industry, academia and governmentModerator: Gary Braman Panelists: Chuck Muniak, Saralyn Dwyer, Rani Kady, Harmony MyersThe panel will the focus will on different approaches to how each organization hires and develops System Safety Experts .

FRIDAY // 08-12 // 8:00-5:00 // PALANI

G-48 MeetingModerator: Dave West


PAPER PRESENTATIONSTUESDAY // 08-09// 8:50-11:30 // ANEMONE SYSTEM SAFETY EDUCATION 1 // CHAIR: MUNIAK

Safety and Liability Risks for Government Contractors Entering Commercial MarketsMartin S . Chizek, P .E ., C .S .P .; Product Safety Officer; Lockheed Martin, Orlando, FL, USADefense contractors are increasingly seeking commercial customers and markets beyond traditional Department of Defense (DoD) and other government contracts . Commercial markets offer potential advantages such as large and stable customer bases, more predictable income streams, and freedom from the burdensome government acquisition process . However, commercial markets pose unique challenges to traditional defense contractors in terms of product safety expectations, legal liability, and risk assessment and mitigation . This paper explores issues and obstacles that a defense contractor safety professional will face when introducing a product into a commercial environment . What commercial safety standards should be used, and what legal protection do they afford? What types of hazard analysis should be performed, and what additional hazard categories should be considered? How can the manufacturer be protected from customer misuse or modification of its products? And, the most vexing question faced by all commercial product designers: How safe is safe enough?

Safety Engineering Practice and Experience on Cross Integration of Interoperable Safety Critical Systems Developed by Multiple SuppliersFenggang Shi, PhD; Thales Canada Transportation Solutions; Toronto, CanadaWith the increasing scale of systems in certain domains such as urban transportation signaling, users require multiple suppliers to develop interoperable systems for cross integration . This approach may reduce technical and schedule risks on very large scale projects for concerns of a single supplier’s engineering capability . However, it is challenging to ensure that systems from multiple suppliers are interoperable. Technology used by one supplier is different from others, and each supplier considers its technology and safety design techniques as its own intellectual property . Thus, safety engineering for integration of interoperable systems from multiple suppliers faces a big challenge regarding how to build up the safety case for the final system. This paper discusses an approach to managing this challenge by letting all suppliers cooperate on defining the open system architecture, functional safety concepts, and interface communication protocols . The function allocations for each subsystem in the open architecture enables each supplier to use its own

technology and design techniques to develop a subsystem and the corresponding safety case for satisfying interoperable system requirements . How to develop the safety case for the final integrated system is discussed based on our experience of developing interoperable signaling systems with other suppliers .

A Comprehensive Assessment of System Safety Degree Programs in the United StatesRani KadyEducation is a strategic objective in the International System Safety Society strategic plan . It creates enabling knowledge allowing system safety practitioners to develop and deliver the best system safety solutions . One of the mechanisms to accomplish this objective is integrating system safety into the education curricula . This paper summarizes the results of an examination of academic programs and the assessment of the extent to which educational curricula have integrated system safety philosophies and methods . Data used for this comprehensive study will come from academic institutions, accreditation agencies, and professional societies and associations . The results of the study will help initiate improvements in the scope of the society’s education services for developing future generations of system safety professionals . The society can utilize the results of this study to establish national and international partnerships with academic institutions to help increase the number of student members and provide system safety educational training, which in turn can lead to establishing system safety engineering academic programs and accreditation

TUESDAY // 08-09// 8:00-9:30 // LABRID SOFTWARE SAFETY 1 // CHAIR: KADY

Use of Agile Practices when developing Safety-Critical Software T . Myklebust, SINTEF ICT, Trondheim, Norway; T . Stålhane,NTNU, IDI, Trondheim, Norway; G. K. Hanssen, SINTEF ICT, Trondheim, NorwayObjectives: During the last years there has been an increased use of agile development methods and practices when developing safety-critical software, in order to shorten the time to market, to reduce costs, to improve quality and to have more frequent releases . Several of the agile practices cannot be used as-is when developing Safety-Critical Software (SCSW) .

There are many agile practices and we are searching for agile practices which can be used to obtain agility when developing SCSW . We have evaluated several practices and suggested how to add necessary safety aspects, to these practices . In addition we evaluated how to adapt the practices to development of SCSW when using SafeScrum, an adaptation of the Scrum agile software development methodology, ensuring that safety standards like IEC 61508 are satisfied.

Methods: In this paper we have analysed agile practices commonly used in software development projects . The


acquired information is used to suggest how to include add-ons to the practices and how to adapt the processes to the development of SCSW . We have also performed a literature study and checked:• What are the most adopted agile practices?• Which methods are suitable when developing SCSW?

Results: The descriptions of the agile practices were assessed and consolidated .

Several add-ons and adaptations are suggested for agile practices . Two new extended agile practices’ have been suggested; the ""Backlog Splitting"" and the ""STDD"" (Safety TDD) .

The paper starts by presenting and clarifying relevant terms and definitions, as these may differ between the agile community and the safety community . A short introduction to SafeScrum is presented together with some of the agile practices . The main part of the paper structures and describes the relevant agile practices together with suggested add-on’s and adaptions . Experiences from industry and how they are taken into use and how they so far seem to work are also presented .

Conclusions: There exist more than 50 named agile practices. Several of these practices cannot be used as is when developing SCSW as they do not include mandatory safety requirements . We have evaluated 10 of the most relevant practices and described necessary add-ons and adaptions to ensure that important international standards like IEC 61508 are satisfied. The practices have been described as part of the SafeScrum method .

System Safety Level Of Rigor: Software Versus HardwareRon Bartos; Raytheon Integrated Defense Systems; Sudbury, MA, USASoftware Safety Engineering’s involvement in the development of Safety-Significant software has been established over the last twenty years through guidance from the Joint Software Systems Safety Engineering Handbook. The Level of Rigor required of the Safety-Significant software development and testing is defined by the Software Criticality Index of the software . There is no parallel direction on the development and testing of Safety-Significant hardware. What is the Level of Rigor required of the System Safety Engineer in the development and testing of Safety-Significant hardware? How much does the System Safety Engineer need to be involved in the development and testing of Safety-Significant hardware? Could the System Safety Engineer either spend an excessive amount of time and effort with its development, wasting resources, or an inadequate amount of time, increasing safety risk? This paper evaluates and compares examples of Safety-Significant software and hardware development and testing, and proposes Levels of Rigor for the development and testing of Safety-Significant hardware which are comparable to those for Safety-

Significant software. The potential flaws in such a hardware Level of Rigor are also defined.

TUESDAY // 08-09// 8:00-10:40 // BLUEGILL RELIABILITY ENGINEERING 1 // CHAIR: FLINT

Mission Reliability Assessment for Aircraft Based on Flight ParametersMA Xiaobing1 ,GUAN Tianyu2 , MA Tao3

1 School of Reliability and Systems Engineering, Beihang University, Beijing, 100191, China2 School of Reliability and Systems Engineering, Beihang University, Beijing, 100191, China3 China Flight Test Establishment, Shanxi, 710089, ChinaThe mission reliability of aircraft varied under different missions, because the load conditions of the aircraft are diverse . When sample size is small, traditional mission reliability assessment method cannot give the assessment with specific mission, only to appear an average result. This paper suggests a new method based on flight parameters that can give the assessment result purposefully for specific mission. By using fault data and flight parameters synthetically from physics of failure, the mission reliability model was established according to the relationship between flight loads, flight parameters and reliability. Based on the established model, the statistical inference methods of failure rate for aircraft were proposed, and the mission reliability was assessed according to the flight parameters and fault data of the aircrafts . The illustrative example shows that the results of the methods proposed in this paper have the same size with which current method gave, which proved that the methods are reasonable . Furthermore, it also shows that the new methods are more targeted on specific mission and straightforwardness for engineering application .

Hard Landing Prediction with Improved PSO Based-BP Neural NetworkLi Chen, Ph .D .; Management Science and Engineering, Beihang University, Beijing, China; Wei Fajie, Prof .; Management Science and Engineering, Beihang University, Beijing, China;Zhou Shenghan, Ph.D.; Reliability and Systems Engineering, Beihang University, Beijing, China; Du Benzheng, Ph .D .; Management Science and Engineering, Beihang University, Beijing, ChinaHard landing is one of several seriously dangerous potential events in terms of flight safety. The current process for deciding that a hard landing has occurred is based on a subjective assessment by the flight crew. However, because of the lack of reliable quantitative data and accurate models, hard landing prediction is insufficient and not satisfied by pilots and aircraft crew, although there have been some researches on the landing safety problems . In this paper, we propose a new hard landing prediction model using improved PSO based-BP neural network. Related influence factors of landing safety are explored and the relevant flight data are


collected in the research . The BP neural network based on improved PSO optimization has higher accuracy than the BP algorithm, which can make the hard landing prediction model more precise. An empirical study is provided to confirm that the new method is effective.

Product Safety Assessment Based on Bayesian Networks and Competing Risk Model with Multiple MechanismsWang Jingbin, Wang Xiaohong, Wang Lizhi, Xuan Jinquan, Li Xun, School of Reliability and System Engineering, Beihang University; Beijing, P .R .ChinaAs technology upgrades, electro-mechanical products with composite structures, strong functions and performances are increasingly equipped . But their higher failure rates badly affect systemic safety and mission success. Seriously, great losses in life and property may occur . A safety assessment method of complex product is proposed in this paper, which is based on Bayesian Networks (BN) and Competing Risk Model (CRM) . With priori knowledge and operational failure information, BN is firstly applied to recognize critical failure mechanisms through importance degrees . Then, CRM is used to investigate the life distribution based on these mechanisms and operational failure data. To confirm the credibility, it’s necessary to estimate the distribution by χ 2 (chi-square) test and parameters estimation by Maximum Likelihood Estimation Method (MLEM) . As a result, systemic safety is assessed by Risk Priority Number (RPN), with recommendations enclosed . Finally, the liquid-floated gyroscope is taken as an application, which provides quantitative theoretical basis for timely maintenance and replacement cost-efficiently. The method mentioned aims at making full use of product information to conduct quantitative reliability and safety assessment . By providing references in failure prevention and systemic improvement, the safety and mission-success rate of complex products with multiple failure mechanisms will be efficiently improved.

TUESDAY // 08-09 // 8:00-11:30 // FANTAIL HAZARD/RISK MANAGEMENT 1 // CHAIR: GONZALEZ

Hazard Analysis for Facilities and Process SafetySiow Seet Ting, Management Systems & Processes, ST Kinetics, SingaporeThe system safety process consists of documenting the system safety approach, identifying and documenting hazards, assessing and documenting risk, identifying and documenting risk mitigation measures, reducing risk, verifying, validating and documenting risk reduction, accepting risk and documenting and managing life-cycle risk . Hazard Analysis effectively achieves most of these elements and hence is usually the core of most system safety assessments . However, the system safety methodology is tuned towards assuring the safety of products and systems .

Facilities and process safety (e .g . for manufacturing, etc .) are commonly met by addressing safety issues specific to

the facilities conditions or the process procedures, through assessments such as the Environmental Impact Assessment (EIA) and Hazard Identification, Risk Assessment and Determining Controls (HIRADC) . In addition, standard safety requirements on such operations are often regulated by the government with specific risk acceptance matrixes for the hazards in each operational procedure .

When a new processing facility (including a lab) is planned, an upfront effort will be needed to identify potential hazards and eventually setting up such facility and its operational sequences safe . This paper discusses the advantages in using Hazard Analysis to aid the identification and assessment of hazards that could help prioritise the design mitigations for the facilities, equipment and processes to be implemented at this stage . The author also attempts to reconcile the differences in risk acceptance matrixes as required by MIL-STD-882 and the Code of Practice (CP) on Workplace Safety and Health (WSH) Risk Management for WSH Act regulated by the Singapore Government . Examples from the safety assessment of a 3D printing facility will be used to illustrate these ideas .

A Multi-Perspective Hazard Identification Approach for Complex System-of-SystemsYiyuan ChanWith the proliferation of System-of-Systems (SoS) to address today’s increasingly complex requirements, there is an urgent need to manage the emergent, and often unexpected, behaviours that these SoS brings . Safety is among the forefront concerns when emergent behaviours are considered . The complex nature of SoS is proving to be a challenge for traditional system safety techniques and practices, especially in eliciting emergent hazards due to the many interrelated and interdependent systems in a SoS . This paper proposes an approach to identify emergent hazards in a SoS . The proposed approach adopts multiple perspectives to identify emergent hazards through four analysis techniques and subsequently synthesize the findings to establish the list of emergent hazards . This approach was employed on a networked air defence system and the results show that the approach provides a comprehensive and systematic framework to identify emergent hazards .

Enabling an Error Prevention Collective Corrective Action Process by Performing Risk Assessment on Historical DataShawn LaabsThe Error Prevention Reporting and Event Closure Lifecycle processes were identified as candidates for process improvement . The Error Prevention Team was provided a set of program level goals to meet when implementing process improvements . Options for implementation were developed and the one that met all of the program level goals was recommended for implementation . This recommendation suggested that qualifying Events would be reported as Error Prevention Notices and would receive


collective corrective action periodically . A notional process for Collective Corrective Action was developed and presented . A risk assessment was performed on historical Event data to determine the qualifying criteria for Error Prevention Notices . The Error Prevention Team successfully improved the Reporting and Event Closure Lifecycle processes . The Error Prevention Notice Reporting process has resulted in a 34% reduction in reported Flash Notices when compared to the traditional Flash Notice reporting process . The Collective Corrective Action process has been incorporated with no identified negative consequences.

Activity Based Root Cause AnalysisYoumin DingThe concept of Root Cause Analysis (RCA) was created a few decades ago . Many tools have been developed to perform some steps of RCA, for example, “Why-Why Chart (Five-Whys)”, “Reason’s Swiss Cheese Model”, “Fishbone Diagram” and “Fault Tree Analysis”. In practice, it may lead to different root causes for the same issue concerned when using above mentioned different tools. Is there any way to reduce the level of variation of a root cause during the process of RCA?

A systematic approach to perform RCA called as Activity Based Root Cause Analysis (ABRCA) is developed in order to obtain a consistent root cause for the same issue concerned . A framework of ABRCA is presented in this paper that is consisted of “A Procedure” and corresponding “Tools, Methods and Knowledge”, which is supported by a series of models. Of particular importance are:• A procedure to identify a root cause, which is a qualitative

guideline;• Tools, Methods and Knowledge to track the concern to

causes, and further to a root cause .

ABRCA presented in this paper could be used in any industries, such as government, safety, health, banking and manufacturing industry, to identify a root cause .

TUESDAY // 08-09 // 10:00-2:10 // DAMSELFISH CYBER SAFETY // CHAIR: SCHEDL

Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control SystemsChris. W. Johnson DPhil, School of Computing Science, University of Glasgow, Glasgow, UK.Rob Harkness, EDF, GSO Business Park, East Kilbride, UK.Maria Evangelopoulou, School of Computing Science, University of Glasgow, Glasgow, UK.Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor and control a wide range of safety-related functions . These include energy generation where failures could have significant, irreversible consequences. They also include the control systems that are used in the manufacture of safety-related products . In this case bugs in an ICS/SCADA system could introduce flaws in the production of components that

remain undetected before being incorporated into safety-related applications . Industrial Control Systems, typically, use devices and networks that are very different from conventional IP-based infrastructures. These differences prevent the re-use of existing cyber-security products in ICS/SCADA environments; the architectures, file formats and process structures are very different. This paper supports the forensic analysis of industrial control systems in safety-related applications . In particular, we describe how forensic attack analysis is used to identify weaknesses in devices so that we can both protect components but also determine the information that must be analyzed during the aftermath of a cyber-incident . Simulated attacks detect vulnerabilities; a risk-based approach can then be used to assess the likelihood and impact of any breach . These risk assessments are then used to justify both immediate and longer-term countermeasures .

Long-Range Safety Forecast - Partly CloudyRobert N . Bettis, P .E .; West Melbourne, Florida, USACloud computing is an umbrella term used to describe the practice of using a network of servers hosted on the Internet to run an application or perform computations rather than using a local server or servers. Cloud computing offers a number of advantages such as scalability, cost of computing, reduced maintenance and reduced infrastructure . A particular cloud may be Private (dedicated to a single organization), Community (exclusive to organizations that have a common interest), Public (available to the general public) or Hybrid (a combination of Private, Community and/or Public clouds that interact) .

For the safety community, the question arises: Is the cloud usable for safety-critical applications? There are three key areas that must be examined; security, compatibility with the application safety concept (Critical Assumptions and Dependent Factors) and compatibility with the response times of the application . In examining these areas, a number of difficult issues were noted that must be addressed before cloud computing is deemed viable for a safety critical application .

You Outsource the Service but Not the Risk: Supply Chain Risk Management for the Cyber Security of Safety Critical SystemsChris. W. Johnson DPhil, School of Computing Science, University of Glasgow, Glasgow, UKCompanies increasingly form interdependent relationships between contractors and sub-contractors that extend across national borders and legal jurisdictions . In consequence, supply chain risk management (SCRM) is an increasing concern for the cyber security of safety-critical systems . The following pages argue that outsourcing undermines SCRM by eroding technical expertise, which companies need to select and audit their suppliers . They are still held accountable when the failure of a sub-contractor jeopardizes the continuity of critical national infrastructures . Subsequent


sections present SCRM techniques that support the cyber-security of safety-critical applications and at the same time help to realize the benefits of vertical market integration. Rather than de-risking, the aim of the paper is to reiterate that ‘safety-critical organizations outsource the service but they do not outsource the risk’ .

TUESDAY // 08-09 // 1:30-3:00 // BLUEGILL RELIABILITY ENGINEERING 2 // CHAIR: BOWER

Health and Safety Assessment and Prediction for Motors Based on An Improved SVM ModelJinquan XuanMotor, being an important driving device for mechanical equipment, has been widely used in various industrial fields, such as petroleum, mining, automotive, aerospace and etc . As mechanical equipment develops towards being large-scale, high-speed and automatic, higher requirements have been proposed for the reliability and safety of motors, so it is of great significance to implement health status assessment and prediction (HSAP) technique for them . Currently, the vibration signal analysis and Markov prediction methods as effective failure prediction techniques have been extensively applied in health management for mechanical equipment . However, the vibration signal data of mechanical equipment are mostly volatile, non-linear and unstable, rendering the combined application of vibration-based condition monitoring and Markov prediction techniques restricted .

To solve this problem, an improved Markov model is proposed in this paper, which can be applied in the HSAP for motors . Firstly, the support vector machine (SVM) with a sound performance in dealing with nonlinear data sets is adopted to preprocess the vibration data so as to obtain a more stable data sequence; then, the Markov models with two methods (i .e ., dynamic and constant) of the state space division are utilized to forecast the future vibration data and the safety degree of motors; and health index (HI) is proposed to represent the health state of motors, which is obtained from the mathematical formula established on basis of the relationship between the predicted values of vibration data and safety degree . Finally, a case study is given to analyze and verify the validity of the proposed method in HSAP for motors and other rotating machineries . This research is meaningful for maintenance management and decision-making for motors, and will greatly enhance the operation reliability of mechanical equipment and reduce safety accidents .

The Application of Pattern Recognition in Landing Safety Warning with QAR DataChen Hu, System Engineering; Beihang University, Beijing, China;Shenghan Zhou, Ph.D.; System Risk Evaluation; Beihang University, Beijing, China;Fajie Wei Ph .D .; Risk Management; Beihang University, Beijing, China;Wenbing Chang, Ph .D .; System Safety Research; Beihang University, Beijing, ChinaThis paper aims at forecasting the landing states during the landing phase to ensure safe landing, which can greatly reduce the accidents and loss . This paper builds model between landing states indicated by touchdown speed, vertical acceleration and distance to go and factors reflected flight status based on pattern recognition to predict and acknowledge the landing states in advance . Firstly, the study collects and preprocesses the selected data including the division of the landing states and slicing the data . Next, the data is used to train and forecast in artificial neural network, which can settle the relatively complicated relation between variables . Then, the value of three variables is calculated and the prediction of landing states is obtained . Finally, according to the analysis of prediction value and states, the precision rate for true landing states is 85 .1% and the prediction is demonstrated effectively.

WEDNESDAY // 08-10 // 8:00-9:30 // ANEMONE SYSTEM SAFETY EDUCATION 2 // CHAIR: OWENS

The Challenges of Being a Safety EngineerPinar AyyildizAs the world is changing, requirements of civil/military platforms in aviation industry is changing . It is the responsibility of system safety to help reduce the number of accidents/incidents . However, although technology has been well-developed and robust design methods are applied, accidents/incidents are still indispensable in aviation . In order to reduce the number of these accidents, it is not enough to improve only the methods used but the engineers that are responsible to apply them . By this way an engineer will properly use SAE-ARP4761 and with the help of his/her advanced knowledge, he/she can add different perspectives to it and find the possible hazards. In this paper the basic qualifications (both technical and personnel), necessary to be owned by a system safety engineer and the reasons why one should have them, are described . Moreover that the department to which the engineer belongs in the company should support its engineer is also explained . In addition to this; lessons learned from aviation projects and accidents have also been included in this paper . In conclusion as the engineers are the first to be responsible for the decrease in the number of accidents, they should adapt themselves to the standards and the new technology .


Taking System Safety Back To The FutureLee Wayne Flint, CSP, BS Civil Engineering; The Olde Tinkerer LLC; Lucedale, MS, USAThis paper addresses my perception of what appears to be a detrimental paradigm shift - both in our International System Safety Society (ISSS) and in the system safety profession - away from its “systems” and “engineering” roots . Downplaying (or even dropping) engineering and systems from the system safety lexicon has been detrimental to both the Society and to the profession . Given the current interest in paradigm shifting, discussions with fellow members, and some recent Journal articles, the time seems right to address this concern and promote a discourse within the system safety community . This paper presents the proposition that there is a path to a successful future for system safety and that, at least in part, that path leads back to the past . Bringing the system safety process, the profession, and the ISSS back to its systems and engineering roots will lead to a brighter future for system safety, the profession, and our ISSS .

WEDNESDAY // 08-10 // 8:00-9:30 // LABRID SOFTWARE SAFETY 2 // CHAIR: THOMAS

Challenges of Applying Conventional Software System Safety to Agile Software Development ProgramsDavid B . West, CSP, P .E ., CHMM; Science Applications International Corporation; Huntsville, Alabama, USA; Melissa A . Emery; A-P-T Research; Huntsville, Alabama, USAModern systems are increasingly dependent on software for status monitoring, control, and safety . Software system safety originally evolved at a time when large software development followed a “waterfall” approach in which requirements definition, architecture design, coding, test, and deployment were conducted sequentially . This allowed time early in the program for completing several conventional system safety tasks, such as the system safety program plan (SSPP) and various hazard analyses . Many modern software development programs follow the Agile development approach, in which “sprints” are conducted, to rapidly and incrementally define the architecture, write code, and test it, often before all system requirements are established . Agile development does not align well with the traditional system safety approach . System safety engineers applying conventional software safety will find that by the time they complete and obtain approval of the SSPP, developers have already completed several sprints . To better support modern development programs, a modified software safety approach should be developed to allow software contributions to hazards (causes and controls) to be identified and assessed, before the development team has completed the software architecture and design . This will ensure software hazard causes are adequately mitigated and safety significant software adheres to the level of rigor requirements .

Model Based Development and Software System SafetyBarry Hendrix, AS, BAAS, MBA; A-P-T Research, Inc .; Huntsville, Alabama, USAThe International Council for Systems Engineering (INCOSE) has endorsed and military programs have implemented Model Based Systems Engineering and Model Based Development on several complex safety-critical systems . Model based development of safety-critical software and complex functions are becoming popular for many good reasons . Valid models when used as outputs from Functional Hazard Assessments (FHA) have several technical integrity advantages of being able to express more graphically how critical functions behave, or are expected to behave during normal operation or during credible failure conditions – especially safety-critical functions and safety attributes within complex software with many interactions . Models can be structured to explicitly depict functions more precisely than obsolete methods using sometimes ambiguous words and vague prose to describe the actions of a safety feature . Models can depict safe behavior explicitly in functional diagrams, sequence diagrams, and behavioral diagrams . The advantage is the ability to generate certain artifacts use validated models as objective evidence to show how safety attributes in the design behave correctly and as normally expected or under off nominal failure conditions. This is ideally suited for safety verification. Models can also help support and clarify any safety claims or refuting arguments in Safety Assessments, Safety Cases and other safety documentation . System Safety and Software Safety Engineers assigned to model based programs can influence models to help in detailed software safety analyses and to yield safety facts and evidence as part of a team and collaboration, but must adapt to these modern methods . High fidelity and mature validated Models depicting Safety-Critical Functions (SCF) can also yield credible facts and objective safety evidence for hazard mitigation and closure . These modern processes for software intensive systems are proving to be valuable in producing objective safety evidence in a convincing form to present to safety boards and for inclusion in comprehensive Safety Cases .

WEDNESDAY // 08-10 // 8:00-8:40 // BLUEGILL RELIABILITY ENGINEERING 3 // CHAIR: LAABS

Utilizing Simulated Testing to Determine Probability of Failures in Safety Critical SystemsRobert W . L . Thomas, Ph .D .; AECOM; Bowie, Maryland, USA;Marilyn J. Eichelberger, BA; Department of the Navy, Naval Surface Warfare Center, Dahlgren Division; Combat Direction Systems Activity (CDSA), Dam Neck, Dahlgren, Virginia, USA;Missey Lee, MS; Department of the Navy, Naval Surface Warfare Center, Dahlgren Division; Combat Direction Systems Activity (CDSA), Dam Neck, Dahlgren, Virginia, USASimulation based testing to improve system safety creates new avenues to detect safety related design flaws early in the development process . Of particular interest is the ability


to detect potential risks before they can result in accidents . The work described here builds on a recent paper that combined the Bernoulli and Bayes’ theorems to calculate distributions for probabilities of potential mishaps . Here the concept was expanded to demonstrate the combination of operational experience and expert opinion to improve on test result interpretation and mitigation identification. Finally, we add simulation to the mix of information to be rationally combined, introduce a two stage process, and draw conclusions regarding the simulation requirements .

WEDNESDAY // 08-10 // 8:00-10:40 // FANTAIL HAZARD/RISK MANAGEMENT 2 // CHAIR: KRAEMER

Systematic Approach to Perform Safety Assessment on Vessel PlatformsTan Joo Heng, Phil, Engineering Design Centre, Singapore Technologies Marine, SingaporeIn general, system safety activities commences even before a contract was secured . Safety requirements are derived from the design requirements defined in the contract specifications. Upon securing a project tender, a System Safety Program Plan shall be generated . Thereafter, safety assessment shall be performed on the vessel platform and the analyses were documented in various form of hazard analysis documents . In the hazard analysis documents, cause(s) to each hazards were identified and addressed with available mitigation methods duly verified before bringing the hazard to closure . All the closed hazards were then compiled into a Hazard Log or a Safety Report to be submitted to the customer or relevant authority for their risk acceptance . This paper will provide a systematic approach to performing a safety assessment on marine vessel platforms, from the initial design stage to the hazards being brought to closure prior to platform delivery for service .

Defining Safety Requirements for Human-Machine InteractionsMark A . Vernacchia, MSES, PE; General Motors Company; Milford, Michigan, USAThis paper describes a process to identify and incorporate safety critical requirements, related to human-machine interactions for shift-by-wire (SBW) automotive range (Park, Reverse, Neutral, Drive, Low - PRNDL) selection devices, into functional requirement documents . It describes a system safety evaluation process, design constraint development process, and a concept option evaluation and tradeoff methodology that can lead to the definition of safety requirements for shift-by-wire human-machine interaction systems .

The paper begins with a high-level description of potential issues encountered in the accommodation of safety critical requirements in a design process when objective data is not available . It continues by exploring a methodology to identify potential accidents and associated potential hazardous

conditions that could lead to these accidents under intended system operating conditions . Potential driver interaction errors that could lead to hazardous conditions are identified, and their associated causes determined .

Functional and design constraints that would eliminate or minimize the possible causes are discussed . These constraints are then converted into constraints and requirements associated with inadvertent actuation, system feedback, activation allowance, new user operation, and ease of use . Finally, a tradeoff matrix assessment to evaluate proposed design implementations is discussed .

The paper concludes by summarizing how system safety engineering evaluation methods may be used, to not only create and define safety critical requirements, but also to provide understandable, objective data enabling other design responsible groups to incorporate these safety requirements into an optimal design . Examples of such requirements are illustrated in the paper’s summary section .

Literal and Conservative Application of MIL-STD-882E in Space Launch and Satellite ProcurementFrancis McDougallCurrent DoD and Air Force policy requires program managers to follow the methodology prescribed by MIL-STD-882E, which defines the terms and methodologies for implementing system safety design requirements and system safety risk assessments. However, embellishing MIL-STD-882E definitions and tables beyond their literal intent in space and launch systems acquisition programs has frequently led to “late-coming” high and serious system safety risks sometimes years after a PM gave the thumbs-up to launch a spacecraft in-orbit . These “late-coming” high and serious system safety risks in turn impose an administrative burden on all levels of the Air Force acquisition infrastructure and a financial burden on all levels of the defense contractor infrastructure . In this paper “conservatism” means overly-conservative implementation of instructions, and “literalism” means precise implementation of instructions. Due to the significant problems that system safety conservatism has caused for Air Force space and launch systems acquisition programs, many individuals outside the system safety profession have called for severe tailoring of MIL-STD-882E to the point of making its risk assessment methodology impendent . This paper proposes using a less dramatic approach to solving this problem . Literal compliance with the definitions and tables in MIL-STD-882E can result in a more efficient and cost-effective space system safety program, without the need for tailoring the standard, except for the tasks in sections 100 thru 400 .

Note system loss or degradation due to inherent functional failure modes is not universally considered to be an accident or damage induced, in the same manner that a person dying or incapacitated due to old age is not universally considered to be an accident or injury induced . Therefore, assessing the consequences of a system’s inherent functional failure modes should not be included in literal implementations


of the methodology prescribed by MIL-STD-882E . This is an important point to keep in mind while reading the conservative perspectives in this paper .

WEDNESDAY // 08-10 // 10:00-11:30 // ANEMONE UNMANNED SYSTEMS // CHAIR: DURMAZ

Architecting a Safety Case for UAS Flight OperationsEwen Denney, Ph .D .; SGT / NASA Ames Research Center; Moffett Field, California, USA;Ganesh Pai, Ph .D .; SGT / NASA Ames Research Center; Moffett Field, California, USAOver the past few years, we have been developing safety cases for a number of NASA unmanned aircraft system (UAS) missions involving increasingly complex operational concepts . We have also gradually begun including structured argumentation in the safety case reports to organize and document the reasons why the operations can be expected to be acceptably safe . Although each operation has particular mission-specific constraints and safety requirements, we have been able to identify similarities amongst the associated hazard control mechanisms and safety arguments . The twin aims of this paper are to 1) facilitate future reuse of the UAS operational safety measures and the associated safety arguments, and 2) aid safety case comprehension and evaluation. Towards achieving these goals, first we present the commonalities and differences between the missions via a generic concept for low altitude operations in uncontrolled airspace . We also characterize the dependencies between the concrete details of specific missions and the applicable safety systems. Then we describe two architectural models: i) an abstract safety architecture, given using barrier bow-tie models that specify the collection and combinations of hazard controls; and ii) an argument architecture, given in terms of abstract argumentation patterns . We also discuss the relationship between the safety and argument architectures outlining their roles in creating the safety case and its underlying safety arguments .

WEDNESDAY // 08-10 // 1:30-4:10 // BLUEGILL RELIABILITY ENGINEERING 4 // CHAIR: OLIVER

Modeling and Analysis of Mishap Data Using Artificial Neural NetworksChristopher Green

Databases are often used to gather and track mishaps information . Such information may include demographics, environmental conditions, the technical characteristics of the equipment involved, and the severity of the injury . The data is potentially non-linear and/or noisy due to a mix of quantitative and qualitative information from independent events. An artificial neural network is ideally suited to model this type of data because of its use of adaptive weights and learning algorithms to approximate non-linear functions . In this paper, Artificial Neural Networks (ANNs) are used to model traffic accident data in order to analyze the

potentially non-linear relationship between injury severity and crash related causal factors . The objective of this work is to show how this type of methodology can be used to analyze mishap data in the Navy and Marine Corps .

Effect of Dormant Failures on Safety BarriersGaro DakessianMil-Std-882 dictates at least three barriers to prevent catastrophic and two barriers for critical hazards, but does not address the effect of dormant failures in these barriers. It also dictates a probability of less than one in a million that a catastrophic hazard can occur, but that’s normally calculated based on the assumption that all three barriers are functional . This paper will address the negative effects that such dormant failures can have on the overall safety of the system and proposed mitigations .

Particular Risk Analyses Studies of a MALE Class UAV and Lessons LearnedMehmet OzetIn this paper Particular Risk Analyses for a MALE Class UAV has been explained which are “Bird Strike”, “Wheel and Tyre Failure”, ”Icing” and “Fire” . The methodology, requirements, analyses, problems occurred and compliance methods have been covered. Paper also involves the difference between UAV’s and manned aircrafts’ Particular Risk Analysis certification requirements, PRA methodology for UAV’s and lessons learned .

THURSDAY // 08-11 // 8:00-9:30 // BLUEGILL MISCELLANEOUS // CHAIR: JOHNSON

The Movement of Inorganic Cadmium Through the Environment: Dangerous Goods IIRichard R. Zito, Ph.D.; Richard R. Zito Research LLC; Tucson, Arizona, USAOccasionally, in his/her capacity as a dangerous goods expert, the systems safety engineer is called upon to evaluate or prevent pollution and poisoning, or control mishaps that have already occurred . The industrial/military management of cadmium metal is a good example of this type of responsibility . Aerospace fasteners and other components have been plated with cadmium metal for decades . The coating is inexpensive, corrosion resistant, solderable, paintable, and can be chromated to produce various colors . Cadmium is also naturally “slippery,” thereby preventing fasteners from “galling .” However, cadmium is environmentally toxic . It is the object of this report to describe the life cycle of inorganic cadmium in the environment; starting from its creation as a bright freshly deposited metal coating, proceeding to the formation of inorganic compounds and ions in soil and water, and terminating as absorbed Cd2+ in living organisms . Throughout, a mathematical approach will be taken . .


Organisational Problems - Potential Causes - Unintentional ConsequencesMalcolm JonesMany organisations experience somewhat similar issues in relation to loss of technical knowledge leading to loss of effectiveness and efficiency and these problems extend into the safety arena. This often has a significant impact on the quality of executing overall safety responsibilities . Organisations are not always aware of the root causes which give rise to these difficulties. The purpose of this paper is to raise a number of inter-related topics for discussion which might well be key to identifying the root cause reasons for the difficulties listed above. In principle having identified these causal elements, rectification should follow on as part of a normal process, but this appears to be far from a straight forward activity . There is no intention to claim that the list is complete nor does the paper attempt to identify formal rectification processes. The content of this paper is biased towards organisations with a high degree of technical needs .

THURSDAY // 08-11 // 8:00-11:30 // FANTAIL HAZARD/RISK MANAGEMENT 3 // CHAIR: FRUEHLING

How to Create a Sound Risk Management Process That is Compliant with ISO 14971Bijan ElahiISO 14971 is the international safety risk management standard for the medical device industry . It is widely accepted and compliance to which is mandatory for receiving approval in Europe and the USA. ISO 14971 offers a framework for performing risk management, but does not stipulate a specific methodology, nor prescribes a process. That – is left up to the manufacturer. This absence of specific guidance could cause manufacturers to define processes that are inadequate in the eyes of the Regulatory bodies . The consequence of this could be failed submissions, delays and the need for costly rework .

This paper lays out a process that is both efficient and compliant with ISO 14971 . It also guides the manufacturers on how to optimize the process depending on the geographies in which they intend to market their products .

Role of Regulators in Safeguarding the Interface between Autonomous Systems and the General PublicChris. W. Johnson DPhil, School of Computing Science, University of Glasgow, Glasgow, UKRegulators play a critical role in the commercial exploitation of new technologies . They protect the public when market competition might persuade companies to take undue risks . At the same time, it is essential that regulatory authorities do not kill innovation by imposing inappropriate rules or by retaining previous requirements that make little sense in the light of technical innovations . These tensions are apparent in the introduction of autonomous and semi-autonomous systems, across a range of industries . ‘Regulatory lag’ has starved companies of the strategic guidance that is necessary

to make informed decisions about acceptable levels of safety and security for the integration of these technologies . This paper argues that existing product-based, process-based and performance-based approaches to regulation threaten the safe and secure exploitation of new markets . In contrast, we advocate a Competent, Anticipatory, Self-Reflective approach, which places performance requirements on the regulator rather than on the markets they protect .

How Complex Systems Fail-II: Bounding the “Black Swan” ProbabilityRichard R. Zito, Ph.D.; Richard R. Zito Research LLC; Tucson, Arizona, USAOn the surface, it may seem impossible to calculate the probability of rare unexpected events of low probability (so-called “Black Swan” events), for which there is seldom any contingency plan . After all, if an event is unexpected, how can you know enough about it to calculate its probability? Yet, examination and comparison of a few classic, and catastrophic, mishaps reveal a remarkable common thread . Namely, one unexpected event often precipitates other rare events, so that the overall probability is much higher than would be expected on the basis of independent events . This Mishap Chain Reaction (MCR) lies at the heart of Black Swan events, so that the probability of occurrence of any one safety critical failure is essentially equivalent to the probability of multiple safety critical failures . Ultimately, these multiple failures lead to catastrophic disruptions that are beyond the system capacity for compensation . In this second paper on “How Complex Systems Fail”, four Black Swan mishaps will be examined . These cases will point the way to the proper bounding of Black Swan probabilities .

How Complex Systems Fail-III: The System Risk SurfaceRichard R. Zito, Ph.D.; Richard R. Zito Research LLC; Tucson, Arizona, USAIt is traditional in system safety engineering practice to enumerate system hazards in the worksheets of the Preliminary Hazard Analysis and the Final Hazard Analysis . The first compilation details hazards at the beginning of a program, while the latter describes hazards at the end of a program after some mitigation has taken place during system development . Hopefully, there are fewer hazards after development than before . In addition to the worksheets of these two analyses, there corresponds Qualitative Risk Characterization charts and, bases on the entries in these, a program administrator must decide if a system is “safe” . This decision may be based on need as well as purely safety considerations . Clearly, human opinion as to what constitutes an acceptable system can never be completely eliminated . But, is there a more objective way to make decisions than opinion? This research describes a safety criterion based comparison of real system risk with the risks of an ideal Model Infinite System (MIS) having an infinite number of subsystems and possible failure modes .


THURSDAY // 08-11 // 1:30-2:10 // FANTAIL HUMAN FACTORS // CHAIR: KAISER

The Human Factors Case Concept and Its Value for the Safety CaseŽeljka Požgaj, Dipl.-Ing.; Frequentis AG; Vienna, AUSTRIA;Lukas Fritz, Dr .; Frequentis AG; Vienna, AUSTRIA;Gabriele Schedl, Dipl .-Ing .; Frequentis AG; Vienna, AUSTRIAContaining the multiple complex interactions between a number of humans and machines, Air Traffic Management (ATM) systems are critically dependent on the comprehensive understanding of how human strengths and limitations affect those interactions in their context of operation . The understanding of human behavior and performance in those interactions provides knowledge about how to optimize them to improve human well-being and efficiency, as well as safety and overall system performance for the safe handling of air traffic.

EUROCONTROL’s Human Factors Case has evolved over the years to support the integration of human factors within the design and development process of sophisticated air traffic control systems . It is a management process that enables a methodical identification, allocation and management of human factors issues throughout the project lifecycle, in order to improve human performance within ATM systems .

This paper first presents the Human Factors Case process, in terms of how human factors consideration should be carried out during the ATM project lifecycle, and then discusses the advantages and challenges in its application . Finally, it provides our proposal for how to apply outputs of the Human Factors Case process as supportive evidences for the safety arguments within Safety Case .

THURSDAY // 08-11 // 2:20-4:10 // BLUEGILL WEAPONS SAFETY // CHAIR: BARONDES

Unique Hazards Found in Laser Weapon Systems and Potential MitigationsGunendran SivapragasamLaser weapon systems are proliferating in the military and with them come serious hazards that present a unique challenge to system safety practitioners to identify laser hazards, assess risk, and identify risk mitigation measures . Laser beams have a high energy density and can travel a great distance without significant reduction in their power. The Nominal Ocular Hazard Distance (NOHD) and the Nominal Skin Hazard Distance are used to provide an indication of the distance from the source at which the laser energy intensity would not cause eye or skin injury, respectively . These NOHD values for a High Energy Laser can be as large as a hundred kilometers . The challenge is how to properly employ a laser weapon system in an operational or tactical environment while reducing the probability of accidentally illuminating personnel by direct illumination or indirect reflection. This paper discusses some unique hazards and

potential mitigations that are inherent to lasers . The paper also suggests system safety analyses that can be conducted to better quantify the mishap risk of laser hazards . While not all hazards can be mitigated to a low level mishap risk, this paper identifies some solutions, which if developed and implemented, could greatly reduce mishap risk and provide for the safer employment of laser weapons .

Tools and Techniques for Safety-Specific Software TestingBrian Connell, ME Mechanical Engineering, ME Electrical Engineering, MBA, U .S . Army Armament Research, Development and Engineering Center (ARDEC)Picatinny Arsenal, NJ, USAThe trend toward automation of defense technology and the growing role of software in these systems is driving demand for a broad spectrum of safety-specific tests that are compliant with MIL-STD-882E and well-aligned with the Joint Software Systems Safety Engineering Handbook. This paper examines the state-of-the-art in safety-specific and in-depth safety-specific tests and seeks to provide readers with useful recommendations for tools and techniques . Trends in the more conventional functional and regression tests are considered . Processes and limitations of user interface testing are analyzed . Intrusive techniques such as fault insertion and mutation are reviewed . Strengths and weaknesses of a number of industry tools for path and statement coverage testing are summarized . The paper concludes with experiential insights and useful recommendations for addressing the growing concerns safety review boards are raising over the increased autonomy of weapon systems .

THURSDAY // 08-11 // 2:20-3:00 // FANTAIL WORKPLACE SAFETY AND HEALTH // CHAIR: KAISER

Don’t Turn a Blind Eye to Safety: Protecting Personnel from Harmful LasersAnish DondaWhile laser have many useful purposes for both commercial and military applications, they can also be hazardous if not operated safely . This paper discusses the safety precautions that must be taken to adequately protect personnel when operating/testing lasers in a free space environment . First, a brief overview of lasers and associated terminology are introduced . Second, the properties of the two most common beam profiles, Gaussian and Flat Top, are discussed. An understanding of the beam profiles is important in correctly identifying the safe operating environment for the laser . Exposure to laser energy can result in damage to the eye and skin . Therefore, the concepts of Optical Density, Nominal Ocular Hazard Distance, and Skin Hazard Distance are discussed . These parameters help ensure that the correct Personal Protective Equipment (PPE) is used and help identify the hazard zone . Finally, recommendations for selecting the appropriate PPE are discussed . The concepts presented in this paper can be applied to any hazardous laser system .


THURSDAY //08-11 // 3:30-5:00 // ANEMONEBEST PAPER PRESENTATIONEach year, the best paper of the conference is selected by a committee from nominations by the session chairs . The decision is based on originality, clarity, timeliness of subject matter, examples, technical content, interesting to read, pertinence in general, application to the theme of the conference, and style . For those who missed it, the paper will be presented again at this time and the audience will be able to discuss it in more detail with the author .

NOTES

ABOUT THE ISSSThe International System Safety Society is a non-profit organization of professionals dedicated to the safety of systems, products and services through the effective implementation of the system safety concept. Under this concept, appropriate technical and managerial skills are applied so that a systematic, forward-looking hazard identification and control function becomes an integral part of a project, program or activity at the planning phase and continues through the design, production, testing, use and disposal phases.

The Society’s Objectives• To advance the art and science of system safety• To promote a meaningful management and technological understanding of system safety• To disseminate advances in knowledge to all interested groups and individuals• To further the development of the professionals engaged in system safety• To improve public understanding of the system safety discipline• To improve the communication of system safety principles to all levels of management,

engineering and other professional groupsInternational System Safety Society, Inc. P.O. Box 70, Unionville, VA 22567-0070www.system-safety.org, email: [email protected]

POINTS OF CONTACTOfficersDr. Rod [email protected]

Chuck MuniakExecutive Vice [email protected]

Pam KniessExecutive [email protected]

Clif [email protected]

Bob SchmedakeImmediate Past [email protected]

DirectorsRobert FletcherChapter [email protected]

Pam [email protected]

Jeff BrewerEducation & Professional Development [email protected]

Odell FerrellGovernment & Inter-Society [email protected]

Steve MatternMentoring, R&[email protected]

Melissa EmeryMember [email protected]

Saralyn DwyerPublicity & [email protected]

Special thanks to our sponsors

issc 2016 program - orlando - 2016-07-25.indd

Documents